WO2023050813A1 - 数据处理和密钥保护方法、装置、设备、存储介质和程序 - Google Patents
数据处理和密钥保护方法、装置、设备、存储介质和程序 Download PDFInfo
- Publication number
- WO2023050813A1 WO2023050813A1 PCT/CN2022/091086 CN2022091086W WO2023050813A1 WO 2023050813 A1 WO2023050813 A1 WO 2023050813A1 CN 2022091086 W CN2022091086 W CN 2022091086W WO 2023050813 A1 WO2023050813 A1 WO 2023050813A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- window
- coordinates
- zero
- coordinate
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000003860 storage Methods 0.000 title claims abstract description 14
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 203
- 230000008030 elimination Effects 0.000 claims abstract description 68
- 238000003379 elimination reaction Methods 0.000 claims abstract description 68
- 238000004364 calculation method Methods 0.000 claims description 164
- 230000005540 biological transmission Effects 0.000 claims description 40
- 238000006243 chemical reaction Methods 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 17
- 238000004458 analytical method Methods 0.000 claims description 14
- 238000004891 communication Methods 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 description 27
- 238000010586 diagram Methods 0.000 description 12
- 230000008859 change Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 239000000872 buffer Substances 0.000 description 2
- 238000011065 in-situ storage Methods 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Definitions
- the present disclosure relates to the field of computer technology, and in particular to data processing and key protection methods, devices, equipment, storage media and programs.
- the SM2 cryptographic algorithm has a tendency to gradually replace the RSA algorithm.
- the RSA encryption algorithm is widely used in various industries, and the SM2 encryption algorithm is gradually being promoted.
- RSA encryption algorithm and SM2 encryption algorithm can be widely used in various scenarios, such as: data encryption transmission of remote meter reading, data encryption transmission between wireless terminals and master stations in power wireless private network communication, distribution network Data encryption transmission between the client and the security gateway, etc.
- the RSA algorithm and SM2 algorithm in the power system can be implemented in the chip to obtain higher reliability and computing efficiency.
- the core of the encryption algorithm implemented in the chip is the dot product operation.
- the dot multiplication operation can involve the participation of a key such as a private key, and the dot multiplication operation is realized by using the data processing method of data processing window by window.
- an all-zero window may appear in the data string, that is, a data processing window in which all data bits are 0.
- the physical state of the chip such as voltage, current, and power may change. , the attacker can attack according to the characteristics of the power consumption curve generated by different operations.
- the window method is also often used for protection, so there is also an all-zero window that causes the physical state of the chip information to change, which can be detected by the outside. The problem of being attacked.
- embodiments of the present disclosure provide a data processing and key protection method, device, device, storage medium, and program.
- an embodiment of the present disclosure provides a data processing method for eliminating an all-zero window in a data string, including:
- the data obtaining step obtains the input key data
- a data randomization step performing randomization processing on the key data to obtain randomized data
- the all-zero window elimination step is to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data.
- the data randomization step includes: randomizing the key data by using an integer word-length random number whose highest bit is 1 and an order of the elliptic curve to obtain the randomized data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- an embodiment of the present disclosure provides a key protection method in data transmission, including:
- the data obtaining step obtains the input key data
- a data randomization step performing randomization processing on the key data to obtain randomized data
- the all-zero window elimination step is to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data;
- the window division step is to perform window division on the all-zero window elimination data according to the preset data processing window length, and obtain the data after dividing the window;
- the dot product step is to obtain the predetermined coordinates, initialize the first coordinates, calculate the predetermined coordinates and the dot product calculation of the data after the window is divided by data processing window, and combine the result of the dot product calculation with the times of the first coordinates Point the calculation result, update the first coordinates, and obtain the first target coordinates.
- the present disclosure further includes:
- the coordinate conversion step is to convert the first target coordinates into the second target coordinates of the specified dimension.
- the present disclosure further includes:
- the verifying step is to verify the second target coordinates in the specified dimension.
- the acquiring predetermined coordinates includes:
- the coordinate randomization sub-step is to randomize the specified coordinates to obtain randomized coordinates, wherein the specified coordinates are coordinates satisfying the elliptic curve equation;
- the pre-calculation sub-step is to pre-calculate the randomized coordinates by using a specified increment sequence to obtain the predetermined coordinates.
- the pre-computing the randomized coordinates using a specified increment sequence includes:
- Multiplication is performed using the elements in the specified incrementing sequence and the randomized coordinates.
- updating the first coordinate includes:
- the dot product step further includes:
- the first coordinate is a point at infinity
- the data randomization step includes: randomizing the key data by using an integer word-length random number whose highest bit is 1 and an order of the elliptic curve to obtain the randomized data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- the window division step includes: in the data processing window, adding the all-zero window elimination data and a specific value corresponding to the preset non-zero sequence to obtain the window-divided data.
- the coordinate conversion step includes:
- the verifying step includes: verifying whether the second target coordinate of the specified dimension is on an elliptic curve.
- the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection method in the transmission data is attacked by differential error analysis, the second target coordinate of the specified dimension is discarded, and/or an alarm is issued. information.
- an embodiment of the present disclosure provides a data processing device for eliminating all-zero windows in a data string, including:
- a data acquisition module configured to acquire input key data
- the data randomization module is used for randomizing the key data to obtain randomized data
- the all-zero window elimination module is used to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data.
- the data randomization module is used for randomizing the key data by using an integer word-length random number with the highest bit being 1 and an order of the elliptic curve to obtain the randomized data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- an embodiment of the present disclosure provides a device for protecting a key in data transmission, which is characterized in that it includes:
- a data acquisition module configured to acquire input key data
- a data randomization module configured to perform randomization processing on the key data to obtain randomized data
- the all-zero window elimination module is used to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data;
- a window division module configured to perform window division on the all-zero window elimination data according to a preset data processing window length, to obtain data after window division;
- the dot product module is used to obtain predetermined coordinates, initialize the first coordinates, calculate the predetermined coordinates and the dot product calculation of the data after the window is divided by data processing window, and combine the result of the dot product calculation with the first coordinates
- the calculation result of the doubling point is updated, and the first coordinate is updated to obtain the first target coordinate.
- the present disclosure further includes:
- a coordinate conversion module configured to convert the first target coordinates into second target coordinates of a specified dimension.
- the second implementation manner of the fourth aspect of the present disclosure further includes:
- a verification module configured to verify the second target coordinates in the specified dimension.
- the acquiring predetermined coordinates includes:
- the coordinate randomization submodule is used to randomize the specified coordinates to obtain randomized coordinates, wherein the specified coordinates are coordinates satisfying the elliptic curve equation;
- the pre-calculation sub-module is configured to pre-calculate the randomized coordinates by using a specified increment sequence to obtain the predetermined coordinates.
- the pre-calculation of the randomized coordinates using a specified incremental sequence includes:
- Multiplication is performed using the elements in the specified incrementing sequence and the randomized coordinates.
- the dot product calculation in the dot product module result and the calculation result of the doubling point of the first coordinate, and updating the first coordinate includes:
- the dot product module is also used for:
- the first coordinate is a point at infinity
- the present disclosure is characterized in that,
- the data randomization module is used for randomizing the key data by using an integer word-length random number with the highest bit being 1 and an order of the elliptic curve to obtain the randomized data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- the window division module is configured to: add a specific value corresponding to the preset non-zero sequence to the all-zero window elimination data in the data processing window to obtain the window-divided data.
- the coordinate transformation module is used for:
- the second component of the first target coordinate is multiplied by the result of the cubic calculation of the intermediate component to obtain the second component of the second target coordinate.
- the verification module is used for: verifying whether the second target coordinate of the specified dimension is on an elliptic curve.
- the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection device in the transmission data is attacked by differential error analysis, the second target coordinate of the specified dimension is discarded, and/or an alarm is issued. information.
- the key protection device in the data transmission is integrated into the chip, and the physical state of the chip during the process of processing the data in the data processing window is within a predetermined range.
- the chip includes at least one of the following chips:
- Power management chip gas management chip, bank management chip, communication management chip.
- an embodiment of the present disclosure provides an electronic device, including a memory and a processor; wherein,
- the memory is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to achieve the first aspect, the first implementation mode to the fourth implementation mode of the first aspect method, the second aspect, and the method described in any one of the first to fourteenth implementation manners of the second aspect.
- embodiments of the present disclosure provide a readable storage medium on which computer instructions are stored, and when the computer instructions are executed by a processor, the first aspect, the first implementation manner to the first implementation manner of the first aspect are implemented.
- the embodiments of the present disclosure provide a computer program, which includes computer instructions.
- the computer instructions are executed by a processor, the first aspect and the first implementation manner to the fourth implementation manner of the first aspect are implemented. , the second aspect, and the method described in any one of the first implementation manner to the fourteenth implementation manner of the second aspect.
- the input key data is obtained through the data acquisition step; the data randomization step is to perform randomization processing on the key data to obtain randomized data; The data is subtracted from the preset non-zero sequence to obtain the all-zero window elimination data, thereby eliminating the all-zero window.
- the data encryption transmission of remote meter reading in the power system the data encryption transmission between the wireless terminal and the main station in the electric wireless private network communication, the data encryption transmission between the distribution network client and the security gateway, etc. are guaranteed.
- the data in the scene is transmitted reliably. In gas systems, banking systems, and communication systems, similar reliable encrypted data transmission effects can also be obtained.
- FIG. 1 shows a flowchart of a data processing method for eliminating an all-zero window in a data string according to an embodiment of the present disclosure
- FIG. 2 shows a flowchart of a key protection method in transmitting data according to an embodiment of the present disclosure
- FIG. 3 shows a flow chart of a key protection method in transmitting data according to another embodiment of the present disclosure
- FIG. 4 shows a flowchart of a key protection method in transmitting data according to another embodiment of the present disclosure
- FIG. 5 shows a specific flow chart of acquiring predetermined coordinates in step S205 of FIG. 2 according to an embodiment of the present disclosure
- FIG. 6 shows a structural block diagram of a data processing device for eliminating all-zero windows in a data string according to an embodiment of the present disclosure
- Fig. 7 shows a structural block diagram of a key protection device in transmitting data according to an embodiment of the present disclosure
- FIG. 8 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure
- Fig. 9 is a schematic structural diagram of a computer system suitable for implementing a data processing method for eliminating all-zero windows in a data string or a key protection method for transmitting data according to an embodiment of the present disclosure.
- randomization calculations are performed on the acquired input key data K_sec with a length of, for example, 256 bits, to obtain randomized data K_random
- R1 is a random number with an integer word length, and the highest bit of R1 is 1; #E is the order of the elliptic curve.
- R1 has the feature of randomization and is a preset random number.
- the elliptic curve E satisfies the equation
- x and y are the horizontal and vertical coordinates of points on the elliptic curve, respectively, and a and b are the parameters of the elliptic curve.
- the key data may be private key data that needs to be protected from leakage, for example, private key data with the highest bit being 1.
- the length of the key data K_sec may be 128 bits other than 256 bits, or 512 bits, or other lengths, which is not limited in the present disclosure.
- the randomized data K_random when processing the data string, that is, the randomized data K_random, it can be processed by data processing window by data processing window, and the length of the preset data processing window is set to W bits.
- the randomized data K_random includes L data processing windows.
- An all-zero window may appear in the randomized data K_random, that is, a window in which all bits in the data processing window are 0.
- the chip's dot product operation processes all-zero windows, the physical state of the chip changes compared to processing non-all-zero windows. For example, at least one of current, voltage and power of the chip will be reduced by M%. By detecting the reduction of at least one of the current, voltage and power when the chip is processing the all-zero window, the chip can be attacked, thereby deciphering the key data.
- W bits may be 8 bits, or 16 bits, or 32 bits, or other lengths, which is not limited in the present disclosure.
- the all-zero window elimination data K_cancel_zero can be calculated by sequence subtraction
- seq1 is a preset non-zero sequence with the same length as the randomized data K_random.
- the all-zero window elimination data K_cancel_zero that no longer includes the all-zero window can be obtained.
- the preset non-zero sequence seq1 can also be in each data processing window, any bit sequence value is 1, and all other bit sequence values are 0; or in each data processing window, The sequence value of at least one specified bit is 1, for example, the sequence value of the lowest bit and the second lowest bit is 1, and all other bit sequence values are 0.
- steps S201 , S202 , and S203 are the same as that of steps S101 , S102 , and S103 in FIG. 1 .
- the all-zero window elimination data K_cancel_zero is divided according to the preset data processing window length W, and a specific value corresponding to the preset non-zero sequence seq1 is added to the data processing window to obtain the window division Data (K_split L ⁇ 1 , K_split L ⁇ 2 , K_split 1 , K_split 0 ), L is the number of data processing windows.
- L is the number of data processing windows.
- the specific value corresponding to the zero sequence seq1 is 1.
- the second lowest bit sequence value is 1, and all other bit sequence values are 0, that is, when the preset non-zero sequence seq1 in the data processing window is 0...010, it is different from the preset non-zero sequence value.
- the specific value corresponding to the zero sequence seq1 is 2, or the bit sequence 10.
- the lowest bit and the second lowest bit sequence value are 1, and all other bit sequence values are 0, that is, when the preset non-zero sequence seq1 in the data processing window is 0...011, the same as
- the specific value corresponding to the preset non-zero sequence seq1 is 3, or a bit sequence 11.
- the compensation calculation for the randomized data K_random minus the preset non-zero sequence seq1 is realized when the all-zero window is eliminated, ensuring the overall point The correctness of the result of the multiplication operation.
- the steps of the following pseudo-code can be used to specifically realize obtaining the window-divided data (K_split L-1 , K_split L-2 , K_split 1 , K_split 0 ) from the all-zero window cancellation data K_cancel_zero.
- K_split i t
- K_cancel_zero K_cancel_zero-K_split i ,
- step S501 of Figure 5 for the specified coordinate P1(x1, y1) satisfying the elliptic curve equation, randomized coordinates are obtained through coordinate randomization processing
- the specified coordinates P1 (x1, y1) are input from the algorithm library, and R2 is a random number.
- P_random (X1, Y1, Z1) can also be obtained by using R2 to perform other operations on P1 (x1, y1), which is not limited in the present disclosure.
- pre-computation is performed on a specific incremental sequence (1, 2, . . . 2 w ) and randomized coordinates P_random (X1, Y1, Z1), specifically It is a multiplication calculation to get the predetermined coordinates
- P2(X2, Y2, Z2) P_random, 2*P_random, 3*P_random, ..., 2 W *P_random
- the first coordinate is initialized by calculating the point product of the windowed data K_split L-1 and the predetermined coordinate P2 (X2, Y2, Z2) in the last window , to get the first coordinate of the initialization
- the predetermined coordinates are calculated one by one, and the dot product calculation of the data after the window is divided, and the point addition calculation is performed on the result of the point multiplication calculation and the doubling calculation result of the first coordinate, and the first coordinate is updated. Get the first target coordinates.
- the first target coordinate Q_dest1(X3, Y3, Z3) can be obtained by means of the following pseudo code.
- K_split i *P2 is the point multiplication calculation of the predetermined coordinates and the data after dividing the window in the current data window i
- Q Q+K_split i *P2 It is the point multiplication calculation result and the point multiplication calculation result of the first coordinate for point addition calculation.
- step S301 of FIG. 3 coordinate conversion can be performed on the three-dimensional first target coordinate Q_dest1(X3, Y3, Z3) to obtain the specified dimension, that is, the two-dimensional second target coordinate Q_dest2(x2 ,y2).
- the conversion of the three-dimensional first target coordinate Q_dest1 (X3, Y3, Z3) into the two-dimensional second target coordinate Q_dest2 (x2, y2) can be realized by using the following pseudo code.
- the first destination coordinates Q_dest1 (X3, Y3, Z3) are affine coordinates
- the second destination coordinates Q_dest2(x2, y2) are projective coordinates.
- Z3 ⁇ 1 is the inverse calculation of Z3.
- the inversion calculation is time-consuming.
- calculation performance can be improved by using one inversion calculation, and then performing less time-consuming square calculation and cubic calculation.
- the second target coordinate Q_dest2(x2, y2) can be verified, that is, by verifying whether x2 and y2 satisfy the elliptic curve equation
- DFA differential fault analysis
- the second target coordinates are not located on the elliptic curve, it is judged that the point multiplication operation is attacked by DFA, and the attacked data may be discarded, and/or an alarm message may be issued, or other processing may be performed, which is not limited in the present disclosure.
- the second target coordinates are located on the elliptic curve, it is judged that the point multiplication operation has not been attacked by DFA, and the correct second target coordinates are obtained for subsequent encryption calculations.
- data processing windows may be used to perform calculations by data processing windows, thereby saving calculation amount.
- the physical state of the chip such as voltage, current, and power may change, for example, voltage, current, and power may drop.
- a method of eliminating all-zero windows may be used to prevent modular exponentiation from being attacked.
- the modular exponentiation of the public key RSA algorithm is performed in the following manner
- A is the data to be encrypted
- e is the first part of the public key
- M is the second part of the public key
- W is the length of the data processing window
- len(e) is the number of bits of e, is an up round operation.
- e_padding may include an all-zero window, that is, a window in which all bits in the data processing window are 0.
- the all-zero window elimination key e_cancel_zero can be calculated by sequence subtraction
- seq2 is a preset non-zero sequence with the same length as e_padding.
- the all-zero window elimination key e_cancel_zero that no longer includes the all-zero window can be obtained.
- the window-divided key (e_split L-1 , e_split L-2 , e_split 0 ) is obtained from the all-zero window cancellation key e_cancel_zero through the steps of the following pseudocode.
- the modular exponentiation operation of data processing window by data processing window is performed on A through the steps of the following pseudo code, and S
- Fig. 1 shows a flowchart of a data processing method for eliminating all-zero windows in a data string according to an embodiment of the present disclosure.
- the data processing method for eliminating the all-zero window in the data string includes: steps S101 , S102 , and S103 .
- step S101 the input key data is acquired.
- step S102 randomize the key data to obtain randomized data.
- step S103 the randomized data is subtracted from the preset non-zero sequence to obtain all-zero window elimination data.
- Step S101 is a data acquisition step
- step S102 is a data randomization step
- step S103 is an all-zero window elimination step.
- the key data K_sec is randomly calculated to obtain the randomized data K_random
- the input key data is obtained through the data acquisition step; the data randomization step is to perform randomization processing on the key data to obtain randomized data; The data is subtracted from the preset non-zero sequence to obtain the all-zero window elimination data, thereby eliminating the all-zero window.
- R1 is an integer word-length random number whose most significant bit is 1; #E is the order of the elliptic curve E. R1 has the feature of randomization and is a preset random number.
- the data randomization step includes: using an integer word-length random number whose highest bit is 1 and the order of the elliptic curve to randomize the key data to obtain randomized data, thereby The key data is randomized to strengthen the protection of the key data.
- the sequence value of any specified at least one position in each data processing window of the preset non-zero sequence seq1, can be set to 1, and all other bit sequence values are 0, such as the lowest bit and the second The sequence value of the low bit is 1, and the sequence values of other positions are all 0.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the sequence value of any bit in each data processing window of the preset non-zero sequence seq1, can be set to 1, and the sequence values of all other bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating all-zero window data.
- Fig. 2 shows a flowchart of a key protection method in data transmission according to an embodiment of the present disclosure.
- the key protection method in data transmission includes: steps S201 , S202 , S203 , S204 , and S205 .
- step S201 the input key data is obtained.
- step S202 randomize the key data to obtain randomized data.
- step S203 the randomized data is subtracted from the preset non-zero sequence to obtain the all-zero window elimination data.
- step S204 window division is performed on the all-zero window elimination data according to the length of the preset data processing window to obtain data after window division.
- step S205 the predetermined coordinates are obtained, the first coordinates are initialized, the predetermined coordinates are calculated one by one data processing window and the point product calculation of the data after the window is divided, and the first coordinates to get the coordinates of the first target.
- Step S201 is a data acquisition step
- step S202 is a data randomization step
- step S203 is an all-zero window elimination step
- step S204 is a window division step
- step S205 is a point multiplication step.
- steps S201 to S203 may be implemented in the same way as steps S101 to S103, so as to obtain the all-zero window cancellation data K_cancel_zero.
- the steps of the following pseudo-code can be used to specifically realize obtaining the window-divided data (K_split L-1 , K_split L-2 , K_split 1 , K_split 0 ) from the all-zero window cancellation data K_cancel_zero.
- the dot multiplication step can be realized by the following pseudo code to obtain the first target coordinate Q_dest1(X3, Y3, Z3).
- P2 (X2, Y2, Z2) is the predetermined coordinate
- the predetermined coordinate P2 (X2, Y2, Z2) is obtained by the following method: the specified coordinate P1 (x1, y1) that satisfies the elliptic curve equation is randomized through the coordinate randomization process Coordinates P_random(X1,Y1,Z1), and then perform multiplication calculations on the specific incremental sequence (1,2,...2 w ) and randomized coordinates P_random(X1,Y1,Z1) to obtain the predetermined coordinates P2( X2, Y2, Z2).
- the input key data is obtained through the data acquisition step; the data randomization step is to perform randomization processing on the key data to obtain randomized data; Subtracting the preset non-zero sequence from the data to obtain the all-zero window elimination data; the window division step is to perform window division on the all-zero window elimination data according to the preset data processing window length to obtain the data after dividing the window; the point multiplication step is to obtain the predetermined coordinates , initialize the first coordinate, calculate the predetermined coordinates one by one data processing window and calculate the dot product of the data after dividing the window, combine the result of the dot multiplication calculation and the result of the doubling of the first coordinate, update the first coordinate, and obtain the first target coordinate, Therefore, by eliminating the all-zero window, the dot multiplication operation is prevented from being attacked due to changes in the physical state when calculating the all-zero window data, and key leakage is prevented.
- Fig. 3 shows a flowchart of a key protection method in data transmission according to another embodiment of the present disclosure.
- the key protection method in data transmission includes the same steps S201 , S202 , S203 , S204 , and S205 as those in FIG. 2 , and also includes step S301 .
- step S301 the first target coordinates are transformed into second target coordinates of a specified dimension.
- Step S301 is a coordinate conversion step.
- coordinate transformation may be performed on the first three-dimensional target coordinate Q_dest1 (X3, Y3, Z3) to obtain the second two-dimensional target coordinate Q_dest2 (x2, y2).
- the first target coordinates are converted into the second target coordinates of the specified dimension, so that the second target coordinates return to the elliptic curve coordinates, and the subsequent correctness of SM2 encryption is performed. operation.
- the conversion from the three-dimensional first target coordinate Q_dest1 (X3, Y3, Z3) to the two-dimensional second target coordinate Q_dest2 (x2, y2) can be realized by using the following pseudo code.
- Z3 ⁇ 1 is the inverse calculation of Z3.
- the inversion calculation is time-consuming.
- one inverse calculation is used to obtain the intermediate variable z2, and then the less time-consuming square calculation and cubic calculation are performed on z2, and X3 and Y3 are respectively multiplied by the results of the square calculation and the cubic calculation , get x2, y2, which can improve computing performance, improve data processing efficiency and reduce power consumption in actual operation.
- the step of coordinate conversion includes: performing an inverse calculation on the third component of the first target coordinate to obtain an intermediate component; calculating the square of the first component and the intermediate component of the first target coordinate Multiply the results to get the first component of the second target coordinates; multiply the second component of the first target coordinates and the result of the cubic calculation of the intermediate component to get the second component of the second target coordinates, thereby improving calculation performance and improving Data processing efficiency, reduce power consumption.
- Fig. 4 shows a flowchart of a key protection method in data transmission according to yet another embodiment of the present disclosure.
- the key protection method in data transmission includes steps S201 , S202 , S203 , S204 , S205 , and S301 , which are the same as those in FIG. 3 , and also includes step S401 .
- step S401 the second target coordinates of the specified dimension are verified.
- Step S401 is a verification step.
- the second target coordinate Q_dest2(x2, y2) can be checked, that is, by checking whether x2, y2 satisfy the elliptic curve equation
- DFA Differential fault analysis
- the second target coordinates of the specified dimension are verified, so as to detect whether the dot product operation is attacked by DFA, and ensure the correctness and security of the dot product calculation.
- the second target coordinates when the second target coordinates are not located on the elliptic curve, it is judged that the point multiplication operation is attacked by DFA, and the attacked data can be discarded, and/or an alarm message can be issued, or other processing can be performed. This is not limited.
- the second target coordinates are located on the elliptic curve, it is judged that the point multiplication operation has not been attacked by DFA, and the correct second target coordinates are obtained for subsequent encryption calculations.
- the second target coordinate of the specified dimension when the second target coordinate of the specified dimension is on the elliptic curve, it is judged that the key protection method in the transmission data is not attacked by differential error analysis, and the second target coordinate of the specified dimension is used to perform Encryption calculation; and/or when the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection method in the transmission data is attacked by differential error analysis, and the second target coordinate of the specified dimension is discarded, and/or A warning message is issued to ensure the correctness and security of the dot product calculation when it may be attacked by DFA.
- FIG. 5 shows a specific flow chart of acquiring predetermined coordinates in step S205 of FIG. 2 according to an embodiment of the present disclosure.
- step S205 of FIG. 2 includes: steps S501 and S502.
- the specified coordinates are randomized to obtain randomized coordinates, wherein the specified coordinates are coordinates satisfying an elliptic curve equation.
- the randomized coordinates are pre-calculated using a specified increment sequence to obtain predetermined coordinates.
- Step S501 is a coordinate randomization sub-step
- S502 is a pre-computation sub-step.
- the specified coordinates P1 (x1, y1) are input from the algorithm library, and R2 is a random number.
- the multiplication calculation is performed on the specific increasing sequence (1,2,...2 w ) and the randomized coordinate P_random(X1,Y1,Z1) to obtain the predetermined coordinate
- P2(X2, Y2, Z2) P_random, 2P_random, 3P_random,..., 2 W P_random
- the pre-computation sub-step wherein, The randomized coordinates are pre-calculated by using a specified increment sequence to obtain the predetermined coordinates, thereby ensuring the correctness of the point multiplication operation after eliminating the all-zero window.
- the pre-calculation of the randomized coordinates by using the specified incremental sequence includes: using the elements in the specified incremental sequence and the randomized coordinates to perform multiplication calculations, so as to ensure the elimination of the dot multiplication operation after the all-zero window correctness.
- updating the first coordinate includes: multiplying the result of the point multiplication calculation and the first coordinate by combining the result of the point multiplication calculation and the result of the doubling of the first coordinate in the dot product step A point addition calculation is performed on the point calculation result, and the first coordinate is updated using the point addition calculation result, thereby ensuring the correctness of the point multiplication operation.
- the first coordinate in the point multiplication operation when the first coordinate in the point multiplication operation is a point at infinity, the first coordinate needs to be reassigned to avoid abnormal values in the calculation and ensure the correctness of the calculation result.
- the reassignment process can be realized by the following pseudocode
- the point product when the first coordinate is a point at infinity, by calculating the dot product of the predetermined coordinate and the data after dividing the window in the first pre-order data processing window of the current data processing window, the point product is used
- the result updates the first coordinate, and updates the current data processing window to the second pre-sequence data processing window of the current data processing window, thereby avoiding abnormal values in the calculation and ensuring the correctness of the results.
- the randomized calculation is performed on the acquired key data K_sec with a length of 256 bits, for example, to obtain the randomized data K_random
- R1 is a random number with an integer word length, and the highest bit of R1 is 1; #E is the order of the elliptic curve.
- the elliptic curve E satisfies the equation
- x and y are the horizontal and vertical coordinates of points on the elliptic curve, respectively, and a and b are the parameters of the elliptic curve.
- the data randomization step includes: randomizing the key data by using an integer word-length random number with the highest bit being 1 and the order of the elliptic curve to obtain the randomization Data, so as to randomize the key data and strengthen the protection of the key data.
- the preset non-zero sequence seq1 may include multiple data processing windows.
- the preset non-zero sequence seq1 can be in each data processing window, any bit sequence value is 1, and all other bit sequence values are 0. Calculated by serial subtraction
- the all-zero window cancellation data K_cancel_zero that no longer includes the all-zero window can be obtained.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the all-zero window cancellation data K_cancel_zero that no longer includes the all-zero window can be obtained.
- the sequence value at at least one position is 1, for example, the sequence value of the lowest bit and the second lowest bit is 1, and all other bit sequence values are 0, that is, the sequence value of the data processing seq1 in the window is 0...011.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the all-zero window elimination data K_cancel_zero is divided according to the preset data processing window length W, and a specific value corresponding to the preset non-zero sequence seq1 is added to the data processing window to obtain window division Post data (K_split L ⁇ 1 , K_split L ⁇ 2 , K_split 1 , K_split 0 ).
- the lowest bit sequence value is 1, and all other bit sequence values are 0, that is, when the preset non-zero sequence seq1 in the data processing window is 00...1, it is different from the preset non-zero sequence.
- the specific value corresponding to the zero sequence seq1 is 1.
- the second lowest bit sequence value is 1, and all other bit sequence values are 0, that is, when the preset non-zero sequence seq1 in the data processing window is 0...010, it is different from the preset non-zero sequence value.
- the specific value corresponding to the zero sequence seq1 is 2, or the bit sequence 10.
- the lowest bit and the second lowest bit sequence value are 1, and all other bit sequence values are 0, that is, when the preset non-zero sequence seq1 in the data processing window is 0...011, the same as The specific value corresponding to the preset non-zero sequence seq1 is 3, or a bit sequence 11.
- the window division step includes: in the data processing window, adding a specific value corresponding to the preset non-zero sequence to the all-zero window elimination data to obtain the data after the window division, Therefore, it is ensured that the calculation result after eliminating the all-zero window is correct.
- the second target coordinate Q_dest2(x2, y2) can be checked, that is, by checking whether x2, y2 satisfy the elliptic curve equation
- the checking step includes: checking whether the second target coordinate of the specified dimension is on the elliptic curve, so as to detect whether the dot product operation is attacked by DFA.
- the second target coordinates are not located on the elliptic curve, it is judged that the point multiplication operation is attacked by DFA, and the attacked data may be discarded, and/or an alarm message may be issued, or other processing may be performed, which is not limited in the present disclosure.
- the second target coordinates are located on the elliptic curve, it is judged that the point multiplication operation has not been attacked by DFA, and the correct second target coordinates are obtained for subsequent encryption calculations.
- the second target coordinate of the specified dimension when the second target coordinate of the specified dimension is on the elliptic curve, it is judged that the key protection method in the transmission data is not attacked by differential error analysis, and the second target coordinate of the specified dimension is used to perform Encryption calculation; and/or when the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection method in the transmission data is attacked by differential error analysis, and the second target coordinate of the specified dimension is discarded, and/or A warning message is issued to ensure the correctness and safety of the dot multiplication operation under the condition that the dot multiplication operation may be attacked by DFA.
- Fig. 6 shows a structural block diagram of a data processing device for eliminating all-zero windows in a data string according to an embodiment of the present disclosure.
- the data processing device 600 for eliminating all-zero windows includes: a data acquisition module 601 , a data randomization module 602 , and an all-zero window elimination module 603 .
- the data obtaining module 601 is used to obtain the input key data.
- the data randomization module 602 is used for randomizing the key data to obtain randomized data.
- the all-zero window elimination module 603 is used to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data.
- the data acquisition module is used to obtain the input key data; the data randomization module is used to randomize the key data to obtain randomized data; the all-zero window elimination module , which is used to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data, thereby eliminating the all-zero window.
- the data randomization module is used to: use an integer word-length random number whose highest bit is 1 and the order of the elliptic curve to randomize the key data to obtain randomized data, thereby Randomize the key data to strengthen the protection of the key data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating all-zero window data.
- the data processing device 600 for eliminating all-zero windows includes: a processor, wherein the processor is configured to execute the above-mentioned program modules stored in the memory, and the above-mentioned program modules include: a data acquisition module 601, a data randomization module 602 and an all-zero window elimination module 603 .
- Fig. 7 shows a structural block diagram of a key protection device in transmitting data according to an embodiment of the present disclosure.
- the key protection device 700 in transmitting data includes: a data acquisition module 701 , a data randomization module 702 , an all-zero window elimination module 703 , a window division module 704 , and a dot product module 705 .
- the data randomization module 702 is configured to perform randomization processing on the key data to obtain randomized data.
- the all-zero window elimination module 703 is configured to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data.
- the window division module 704 is configured to perform window division on the all-zero window elimination data according to a preset data processing window length, to obtain data after window division.
- the dot product module 705 is used to obtain the predetermined coordinates, initialize the first coordinates, calculate the predetermined coordinates one by one, and calculate the dot product calculation of the data after the window is divided, and update The first coordinate, get the first target coordinate.
- the data acquisition module is used to obtain the input key data; the data randomization module is used to randomize the key data to obtain randomized data; the all-zero window elimination module , which is used to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data; the window division module is used to perform window division on the all-zero window elimination data according to the preset data processing window length, and obtain the data after dividing the window ;
- the dot product module is used to obtain the predetermined coordinates, initialize the first coordinates, calculate the predetermined coordinates one by one, and calculate the dot product calculation of the data after the window is divided, combine the result of the point multiplication calculation and the doubling calculation result of the first coordinate, and update
- the first coordinate is to obtain the first target coordinate, so as to eliminate the all-zero window, prevent the dot multiplication operation from changing the physical state when calculating the all-zero window data and be attacked, and prevent the key from leaking.
- the key protection device in the transmission data may further include: a coordinate conversion module.
- the coordinate conversion module is used to convert the first target coordinates into the second target coordinates of the specified dimension.
- a coordinate conversion module which is used to convert the first target coordinates into the second target coordinates of the specified dimension, so that the second target coordinates return to the elliptic curve coordinates for SM2 encryption subsequent correct operation.
- the device for protecting the key in the transmission data may further include: a verification module.
- the verification module is used to verify the second target coordinates of the specified dimension.
- a verification module which is used to verify the second target coordinates of the specified dimension, so as to detect whether the point multiplication operation is attacked by DFA, and ensure the correctness and security of the data .
- obtaining predetermined coordinates includes: a coordinate randomization sub-module for randomizing specified coordinates to obtain randomized coordinates, wherein the specified coordinates are coordinates satisfying the elliptic curve equation; pre-calculated The sub-module is used to pre-calculate the randomized coordinates by using a specified increment sequence to obtain the predetermined coordinates, so as to ensure the correctness of the point multiplication operation after eliminating the all-zero window.
- the pre-calculation of the randomized coordinates by using the specified incremental sequence includes: using the elements in the specified incremental sequence and the randomized coordinates to perform multiplication calculations, so as to ensure the elimination of the dot multiplication operation after the all-zero window correctness.
- updating the first coordinate includes: multiplying the result of the point multiplication calculation and the first coordinate by combining the result of the point multiplication calculation and the result of the doubling of the first coordinate in the dot product step A point addition calculation is performed on the point calculation result, and the first coordinate is updated using the point addition calculation result, thereby ensuring the correctness of the point multiplication operation.
- the dot product module is also used to: when the first coordinate is an infinite point, calculate the predetermined coordinates and the divided window data in the first pre-order data processing window of the current data processing window The dot product of , use the result of the dot product to update the first coordinate, and update the current data processing window to the second pre-sequence data processing window of the current data processing window, so as to avoid outliers in the calculation and ensure the correctness of the results.
- the data randomization module is used to: use an integer word-length random number whose highest bit is 1 and the order of the elliptic curve to randomize the key data to obtain randomized data, thereby Randomize the key data to strengthen the protection of the key data.
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating the all-zero window.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0, thereby eliminating all-zero window data.
- the window division module is used to: in the data processing window, add a specific value corresponding to the preset non-zero sequence to the all-zero window elimination data to obtain the data after the window division , so as to ensure that the calculation result after eliminating the all-zero window is correct.
- the coordinate conversion module is used to: perform inverse calculation on the third component of the first target coordinate to obtain the intermediate component; the square of the first component and the intermediate component of the first target coordinate The calculated results are multiplied to obtain the first component of the second target coordinates; the second component of the first target coordinates is multiplied by the cubic calculation result of the intermediate component to obtain the second component of the second target coordinates, thereby improving the calculation performance, Improve data processing efficiency and reduce power consumption.
- the verification module is used to: verify whether the second target coordinate of the specified dimension is on the elliptic curve, so as to detect whether the dot product operation is attacked by DFA.
- the second target coordinate of the specified dimension when the second target coordinate of the specified dimension is on the elliptic curve, it is judged that the key protection method in the transmission data is not attacked by differential error analysis, and the second target coordinate of the specified dimension is used to perform Encryption calculation; and/or when the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection method in the transmission data is attacked by differential error analysis, and the second target coordinate of the specified dimension is discarded, and/or A warning message is issued to ensure the correctness and safety of the dot multiplication operation under the condition that the dot multiplication operation may be attacked by DFA.
- the key protection device 700 in transmitting data includes: a processor, wherein the processor is configured to execute the above-mentioned program modules stored in the memory, and the above-mentioned program modules include: a data acquisition module 701, a data randomization module 702 , an all-zero window elimination module 703, a window division module 704, a dot product module 705, a coordinate transformation module and a verification module.
- the chip when the chip includes a key protection device in data transmission, if the chip adopts the traditional processing method that does not eliminate the all-zero window, it will make the chip process the all-zero window, such as current, voltage, power
- the physical state of etc. is M% lower than when dealing with non-all-zero windows.
- the chip can eliminate the all-zero window by adopting the above-mentioned data acquisition step, data randomization step, all-zero window elimination step, window division step, and point multiplication step, so that the physical state of the chip such as current, voltage, and power is within a predetermined range, for example, no Reduce M%, and ensure the correctness of the calculation results.
- the physical state of the chip during the process of processing the data in the data processing window is within a predetermined range, thereby avoiding detection of the chip Changes in physical state, resulting in key disclosure.
- the chip that implements the key protection method can be used for, for example, power management chips such as power remote meter reading chips, power wireless communication private network chips, power distribution network encrypted transmission chips, etc., and gas remote meter reading chips.
- Gas management chips such as gas equipment data encryption transmission chips, bank management chips such as bank ATM encryption data transmission chips, online banking encryption transmission chips, etc., public network encryption communication chips, 5G Internet of Things terminal encryption data transmission chips, etc.
- Communication management chips may also be other chips for dot product operation, which is not limited in the present disclosure.
- the chip includes at least one of the following chips: power management chip, gas management chip, bank management chip, communication management chip, so that the key protection method can be applied to many different scenarios .
- Fig. 8 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure.
- the embodiment of the present disclosure also provides an electronic device. As shown in FIG. At least one processor 801 executes to realize the following steps:
- the data obtaining step obtains the input key data
- a data randomization step performing randomization processing on the key data to obtain randomized data
- the all-zero window elimination step is to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data.
- the data randomization step includes: randomizing the key data by using an integer word-length random number with the highest bit being 1 and the order of the elliptic curve to obtain the randomized data .
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and other bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- the memory 802 stores instructions that may also be executed by at least one processor 801, and the instructions are executed by at least one processor 801 to implement the following steps:
- the data obtaining step obtains the input key data
- a data randomization step performing randomization processing on the key data to obtain randomized data
- the all-zero window elimination step is to subtract the preset non-zero sequence from the randomized data to obtain the all-zero window elimination data;
- the window division step is to perform window division on the all-zero window elimination data according to the preset data processing window length, and obtain the data after dividing the window;
- the dot product step is to obtain the predetermined coordinates, initialize the first coordinates, calculate the predetermined coordinates and the dot product calculation of the data after the window is divided by data processing window, and combine the result of the dot product calculation with the times of the first coordinates Point the calculation result, update the first coordinates, and obtain the first target coordinates.
- the instructions may also be executed by at least one processor 801 to implement the following steps: a coordinate conversion step, converting the first target coordinates into second target coordinates of a specified dimension.
- the instructions may also be executed by at least one processor 801 to implement the following steps: a verifying step of verifying the second target coordinates in the specified dimension.
- the acquiring predetermined coordinates includes:
- the coordinate randomization sub-step is to randomize the specified coordinates to obtain randomized coordinates, wherein the specified coordinates are coordinates satisfying the elliptic curve equation;
- the pre-calculation sub-step is to pre-calculate the randomized coordinates by using a specified increment sequence to obtain the predetermined coordinates.
- the pre-computing the randomized coordinates using a specified increment sequence includes:
- Multiplication is performed using the elements in the specified incrementing sequence and the randomized coordinates.
- updating the first coordinate includes:
- the dot product step further includes:
- the first coordinate is a point at infinity
- the data randomization step includes: randomizing the key data by using an integer word-length random number with the highest bit being 1 and the order of the elliptic curve to obtain the randomized data .
- the preset non-zero sequence includes: a sequence in which at least one bit in the data processing window is 1 and the remaining bits are 0.
- the preset non-zero sequence includes: a sequence in which any bit in the data processing window is 1 and the remaining bits are 0.
- the preset non-zero sequence includes: a sequence in which the last bit in the data processing window is 1 and the remaining bits are 0.
- the window division step includes: adding a specific value corresponding to the preset non-zero sequence to the all-zero window elimination data in the data processing window to obtain the Data after window division.
- the coordinate conversion step includes:
- the second component of the first target coordinate is multiplied by the result of the cubic calculation of the intermediate component to obtain the second component of the second target coordinate.
- the verifying step includes: verifying whether the second target coordinate of the specified dimension is on an elliptic curve.
- the second target coordinate of the specified dimension when the second target coordinate of the specified dimension is on the elliptic curve, it is judged that the key protection method in the transmission data is not attacked by differential error analysis, and the second target coordinate of the specified dimension is used Target coordinates are encrypted; and/or
- the second target coordinate of the specified dimension is not on the elliptic curve, it is judged that the key protection method in the transmission data is attacked by differential error analysis, the second target coordinate of the specified dimension is discarded, and/or an alarm is issued. information.
- Fig. 9 is a schematic structural diagram of a computer system suitable for implementing a data processing method for eliminating all-zero windows in a data string or a key protection method for transmitting data according to an embodiment of the present disclosure.
- a computer system 900 includes a processing unit 901 that can execute the above-mentioned additional processing unit 901 according to a program stored in a read-only memory (ROM) 902 or a program loaded from a storage section 908 into a random access memory (RAM) 903.
- ROM read-only memory
- RAM random access memory
- RAM903 various programs and data necessary for the operation of the system 900 are also stored.
- the processing unit 901 , ROM 902 , and RAM 903 are connected to each other through a bus 904 .
- An input/output (I/O) interface 905 is also connected to the bus 904 .
- the following components are connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, etc.; an output section 907 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 908 including a hard disk, etc. and a communication section 909 including a network interface card such as a LAN card, a modem, or the like.
- the communication section 909 performs communication processing via a network such as the Internet.
- a drive 910 is also connected to the I/O interface 905 as needed.
- a removable medium 911 such as a magnetic disk, optical disk, magneto-optical disk, semiconductor memory, etc. is mounted on the drive 910 as necessary so that a computer program read therefrom is installed into the storage section 908 as necessary.
- the processing unit 901 may be implemented as a processing unit such as a CPU, GPU, TPU, FPGA, or NPU.
- embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a medium readable therefrom, the computer program comprising program code for performing the methods in the accompanying drawings.
- the computer program may be downloaded and installed from a network via communication portion 909 and/or installed from removable media 911 .
- each block in a roadmap or block diagram may represent a module, program segment, or part of code that contains one or more Executable instructions.
- the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved.
- each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.
- the units or modules involved in the embodiments described in the present disclosure may be implemented by means of software or hardware.
- the described units or modules may also be set in the processor, and the names of these units or modules do not constitute limitations on the units or modules themselves in some cases.
- the present disclosure also provides a computer-readable storage medium.
- the computer-readable storage medium may be the computer-readable storage medium included in the node described in the above implementation manner; A computer-readable storage medium assembled in a device.
- the computer-readable storage medium stores one or more programs, and the programs are used by one or more processors to execute the methods described in the present disclosure.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
本公开实施例公开了一种数据处理和密钥保护方法、装置、设备、存储介质和程序。其中,数据处理方法,用于消除数据串中的全零窗口,包括:数据获取步骤,获取输入的密钥数据;数据随机化步骤,对密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将随机化数据减去预设非零序列,得到全零窗口消除数据,从而消除全零窗口。
Description
本公开涉及计算机技术领域,具体涉及数据处理和密钥保护方法、装置、设备、存储介质和程序。
随着信息技术和计算机技术的发展和广泛应用,信息安全越来越受到人们的重视,而信息安全需要采用密码算法。目前常用的1024位RSA算法面临严重的安全威胁。由于SM2算法安全性高、计算量小、处理速度快等优势,SM2密码算法具有逐渐取代RSA算法的趋势。例如,在各行业中大量使用了RSA加密算法,而SM2加密算法也在逐渐推广。
在电力系统中,RSA加密算法、SM2加密算法可以广泛应用于多种场景,例如:远程抄表的数据加密传输、电力无线专网通信中无线终端和主站间的数据加密传输、配电网客户端和安全网关间的数据加密传输等。电力系统中的RSA算法、SM2算法可以在芯片中实现,以获得较高的可靠性和运算效率。
在芯片中实现的例如SM2算法等的加密算法的核心是点乘运算。点乘运算可以有例如私钥的密钥参与,并采用逐数据处理窗口的数据处理方式实现点乘运算。而在当前实现点乘运算的固定窗口法等传统方法中,数据串中可能出现全零窗口,即其中的数据比特全为0的数据处理窗口。在传统方法处理全零窗口时,与处理非全零窗口相比,电压、电流、功率等芯片物理状态有可能发生变化,比如有可能出现电压、电流、功率下降等情况,使得其运算会不同,攻击者可以根据不同运算产生的功耗曲线特征进行攻击。通过检测芯片物理状态的变化,分析全零窗口,可以对点乘运算进行攻击,从而导致密钥的泄露,影响数据安全。因此,在数据处理方案中亟需一种消除数据串中全零窗口,从而消除由于全零窗口导致的芯片物理状态的变化,避免数据处理过程中的点乘运算被攻击,防止导致密钥的信息泄露,以保护密钥、保障数据安全的数据处理方案。在例如公钥RSA算法、私钥RSA算法的RSA算法的模幂运算中,同样也会常常采用窗口法进行防护,因此也存在全零窗口导致芯片信息泄露物理状态变化,从而可以被外部检测、受到攻击的问题。
发明内容
为了解决相关技术中的问题,本公开实施例提供一种数据处理和密钥保护方法、装置、设备、存储介质和程序。
第一方面,本公开实施例中提供了一种数据处理方法,用于消除数据串中的全零窗口,包括:
数据获取步骤,获取输入的密钥数据;
数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;
全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据。
结合第一方面,本公开在第一方面的第一种实现方式中,
所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
结合第一方面或第一方面的第一种实现方式,本公开在第一方面的第二种实现方式中,
所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
结合第一方面或第一方面的第二种实现方式,本公开在第一方面的第三种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
结合第一方面的第三种实现方式,本公开在第一方面的第四种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
第二方面,本公开实施例中提供了一种传输数据中的密钥保护方法,包括:
数据获取步骤,获取输入的密钥数据;
数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;
全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据;
窗口划分步骤,按照预设数据处理窗口长度对所述全零窗口消除数据进行窗口划分,得到划分窗口后数据;
点乘步骤,获取预定坐标,初始化第一坐标,逐数据处理窗口计算所述预定坐标和所述划分窗口后数据的点乘计算,结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标,得到第一目标坐标。
结合第二方面,本公开在第二方面的第一种实现方式中,还包括:
坐标转换步骤,将所述第一目标坐标转换为指定维度的第二目标坐标。
结合第二方面的第一种实现方式,本公开在第二方面的第二种实现方式中,还包括:
校验步骤,对所述指定维度的第二目标坐标进行校验。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第三种实现方式中,所述获取预定坐标包括:
坐标随机化子步骤,对指定坐标进行随机化,得到随机化坐标,其中,所述指定坐标为满足椭圆曲线方程的坐标;
预计算子步骤,采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标。
结合第二方面的第三种实现方式,本公开在第二方面的第四种实现方式中,所述采用指定递增序列对所述随机化坐标进行预计算包括:
采用所述指定递增序列中的元素和所述随机化坐标进行乘法计算。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第五种实现方式中,
所述点乘步骤中的所述结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标包括:
对所述点乘计算的结果和所述第一坐标的倍点计算结果进行点加计算,使用所述点加计算的结果更新所述第一坐标。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第六种实现方式中,所述点乘步骤还包括:
在所述第一坐标为无穷远点时,计算所述预定坐标和当前数据处理窗口的第一前序数据处理窗口内的所述划分窗口后数据的点乘,使用所述点乘的结果更新所述第一坐标,并更新所述当前数据处理窗口为所述当前数据处理窗口的第二前序数据处理窗口。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第七种实现方式中,
所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第八种实现方式中,
所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
结合第二方面的第八种实现方式中的任一项,本公开在第二方面的第九种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
结合第二方面的第九种实现方式,本公开在第二方面的第十种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
结合第二方面至第二方面的第二种实现方式中的任一项,本公开在第二方面的第十一种实现方式中,
所述窗口划分步骤包括:在所述数据处理窗口中,将所述全零窗口消除数据与所述预设非零序列相对应的特定数值相加,得到所述窗口划分后数据。
结合第二方面的第一种实现方式,本公开在第二方面的第十二种实现方式中,所述坐标转换步骤包括:
对所述第一目标坐标的第三分量进行求逆计算,得到中间分量;
将所述第一目标坐标的第一分量与所述中间分量的平方计算的结果相乘,得到所述第二目标坐标的第一分量;
将所述第一目标坐标的第二分量与所述中间分量的立方计算的结果相乘,得到所述第二目标坐标的第二分量。
结合第二方面的第二种实现方式,本公开在第二方面的第十三种实现方式中,
所述校验步骤包括:校验所述指定维度的第二目标坐标是否处于椭圆曲线上。
结合第二方面的第十三种实现方式,本公开在第二方面的第十四种实现方式中,
当所述指定维度的第二目标坐标处于椭圆曲线上时,判断所述传输数据中的密钥保护方法未受到差分错误分析攻击,使用所述指定维度的第二目标坐标进行加密计算;和/或
当所述指定维度的第二目标坐标不处于椭圆曲线上时,判断所述传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息。
第三方面,本公开实施例中提供了一种消除数据串中的全零窗口的数据处理装置,包括:
数据获取模块,用于获取输入的密钥数据;
数据随机化模块,用于对密钥数据进行随机化处理,得到随机化数据;
全零窗口消除模块,用于将所述随机化数据减去预设非零序列,得到全零窗口消除数据。
结合第三方面,本公开在第三方面的第一种实现方式中,
所述数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
结合第三方面或第三方面的第一种实现方式,本公开在第三方面的第二种实现方式中,
所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
结合第三方面的第二种实现方式,本公开在第三方面的第三种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
结合第三方面的第三种实现方式,本公开在第三方面的第四种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
第四方面,本公开实施例中提供了一种传输数据中的密钥保护装置,其特征在于,包括:
数据获取模块,用于获取输入的密钥数据;
数据随机化模块,用于对所述密钥数据进行随机化处理,得到随机化数据;
全零窗口消除模块,用于将所述随机化数据减去预设非零序列,得到全零窗口消除数据;
窗口划分模块,用于按照预设数据处理窗口长度对所述全零窗口消除数据进行窗口划分,得到划分窗口后数据;
点乘模块,用于获取预定坐标,初始化第一坐标,逐数据处理窗口计算所述预定坐标和所述划分窗口后数据的点乘计算,结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标,得到第一目标坐标。
结合第四方面,本公开在第四方面的第一种实现方式中,还包括:
坐标转换模块,用于将所述第一目标坐标转换为指定维度的第二目标坐标。
结合第四方面的第一种实现方式,本公开在第四方面的第二种实现方式中,还包括:
校验模块,用于对所述指定维度的第二目标坐标进行校验。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第三种实现方式中,所述获取预定坐标包括:
坐标随机化子模块,用于对指定坐标进行随机化,得到随机化坐标,其中,所述指定坐标为满足椭圆曲线方程的坐标;
预计算子模块,用于采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标。
结合第四方面的第三种实现方式,本公开在第四方面的第四种实现方式中,所述采用指定递增序列对所述随机化坐标进行预计算包括:
采用所述指定递增序列中的元素和所述随机化坐标进行乘法计算。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第五种实现方式中,所述点乘模块中的所述结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标包括:
对所述点乘计算的结果和所述第一坐标的倍点计算结果进行点加计算,使用所述点加计算的结果更新所述第一坐标。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第六种实现方式中,所述点乘模块还用于:
在所述第一坐标为无穷远点时,计算所述预定坐标和当前数据处理窗口的第一前序数据处理窗口内的所述划分窗口后数据的点乘,使用所述点乘的结果更新所述第一坐标,并更新所述当前数据处理窗口为所述当前数据处理窗口的第二前序数据处理窗口。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第七种实现方式中,其特征在于,
所述数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第八种实现方式中,
所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
结合第四方面的第八种实现方式,本公开在第四方面的第九种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
结合第四方面的第九种实现方式,本公开在第四方面的第十种实现方式中,
所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第十一种实现方式中,
所述窗口划分模块用于:在所述数据处理窗口中,对所述全零窗口消除数据加上与所述预设非零序列相对应的特定数值,得到所述窗口划分后数据。
结合第四方面的第十一种实现方式,本公开在第四方面的第十二种实现方式中,所述坐标转换模块用于:
对所述第一目标坐标的第三分量进行求逆计算,得到中间分量;
所述第一目标坐标的第一分量和所述中间分量的平方计算的结果相乘,得到所述第二目标坐标的第一分量;
所述第一目标坐标的第二分量和所述中间分量的立方计算的结果相乘,得到所述第二目标坐标的第二分量。
结合第四方面的第二种实现方式,本公开在第四方面的第十三种实现方式中,
所述校验模块用于:校验所述指定维度的第二目标坐标是否处于椭圆曲线上。
结合第四方面的第三种实现方式,本公开在第四方面的第十四种实现方式中,
当所述指定维度的第二目标坐标处于椭圆曲线上时,判断所述传输数据中的密钥保护装置未受到差分错误分析攻击,使用所述指定维度的第二目标坐标进行加密计算;和/或
当所述指定维度的第二目标坐标不处于椭圆曲线上时,判断所述传输数据中的密钥保护装置受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息。
结合第四方面至第四方面的第二种实现方式中的任一项,本公开在第四方面的第十五种实现方式中,
将所述数据传输中的密钥保护装置集成在芯片中,所述芯片在处理所述数据处理窗口的数据的过程中的物理状态处于预定范围。
结合第四方面的第十五种实现方式中,本公开在第四方面的第十六种实现方式中,所述芯片包括以下芯片中的至少一种:
电力管理芯片,燃气管理芯片,银行管理芯片,通信管理芯片。
第五方面,本公开实施例中提供了一种电子设备,包括存储器和处理器;其中,
所述存储器用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器执行以实现如第一方面、第一方面的第一种实现方式到第四种实现方式、第二方面、第二方面的第一种实现方式到第十四种实现方式任一项所述的方法。
第六方面,本公开实施例中提供了一种可读存储介质,其上存储有计算机指令,该计算机指令被处理器执行时实现如第一方面、第一方面的第一种实现方式到第四种实现方式、第二方面、第二方面的第一种实现方式到第十四种实现方式任一项所述的方法。
第七方面,本公开实施例中提供了一种计算机程序,其中包括计算机指令,该计算机指令被处理器执行时实现如第一方面、第一方面的第一种实现方式到第四种实现方式、第二方面、第二方面的第一种实现方式到第十四种实现方式任一项所述的方法。
本公开实施例提供的技术方案可以包括以下有益效果:
根据本公开实施例提供的技术方案,通过数据获取步骤,获取输入的密钥数据;数据随机化步骤,对密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将随机化数据减去预设非零序列,得到全零窗口消除数据,从而消除全零窗口。
通过消除全零窗口,可以防止点乘运算在计算全零窗口数据时物理状态发生变化而受到攻击,从而防止密钥泄露,保障数据安全。通过这种方式,保证了电力系统的远程抄表的数据加密传输、电力无线专网通信中无线终端和主站间的数据加密传输、配电网客户端和安全网关间的数据加密传输等应用场景中的数据可靠传输。而在燃气系统、银行系统、通信系统中,也可以获得类似的可靠加密数据传输的效果。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开。
结合附图,通过以下非限制性实施方式的详细描述,本公开的其他特征、目的和优点将变得更加明显。在附图中:
图1示出根据本公开一实施方式的用于消除数据串中的全零窗口的数据处理方法的流程图;
图2示出根据本公开一实施方式的传输数据中的密钥保护方法的流程图;
图3示出根据本公开另一实施方式的传输数据中的密钥保护方法的流程图;
图4示出根据本公开又一实施方式的传输数据中的密钥保护方法的流程图;
图5示出根据本公开实施方式的图2的步骤S205中的获取预定坐标的具体流程图;
图6示出根据本公开一实施方式的消除数据串中的全零窗口的数据处理装置的结构框图;
图7示出根据本公开一实施方式的传输数据中的密钥保护装置的结构框图;
图8示出根据本公开一实施方式的电子设备的结构框图;
图9是适于用来实现根据本公开一实施方式的消除数据串中的全零窗口的数据处理方法或传输数据中的密钥保护方法的计算机系统的结构示意图。
下文中,将参考附图详细描述本公开的示例性实施方式,以使本领域技术人员可容易地实现它们。此外,为了清楚起见,在附图中省略了与描述示例性实施方式无关的部分。
在本公开中,应理解,诸如“包括”或“具有”等的术语旨在指示本说明书中所公开的标签、数字、步骤、行为、部件、部分或其组合的存在,并且不欲排除一个或多个其他标签、数字、步骤、行为、部件、部分或其组合存在或被添加的可能性。
另外还需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的标签可以相互组合。下面将参考附图并结合实施例来详细说明本公开。
在本公开的实施例中,如图1中的步骤S101、S102,对于获取的例如长度为256比特的输入密钥数据K_sec进行随机化计算,得到随机化数据K_random
K_random=K_sec+R1*#E
其中,R1是整数字长的随机数,而且R1的最高位为1;#E是椭圆曲线的阶数。R1具有随机化特征,是预先设定的随机数。椭圆曲线E是满足方程
y
2=x
3+ax+b
的曲线,其中x、y分别是椭圆曲线上的点的横轴、纵轴坐标,a、b是椭圆曲线的参数。
在本公开的实施例中,密钥数据可以是需要进行保护,防止泄露的私钥数据,例如最高位为1的私钥数据。
本领域普通技术人员可以理解,密钥数据K_sec的长度可以是除256比特之外的128比特,或512比特,或者其它长度,本公开对此不作限定。
在点乘运算中,对数据串,即随机化数据K_random进行处理时,可采用逐数据处理窗口的方式进行处理,将预设数据处理窗口的长度设置为W比特。此时,假设随机化数据K_random包含L个数据处理窗口。随机化数据K_random中可能出现全零窗口,即数据处理窗口中的所有比特均为0的窗口。当芯片的点乘运算处理全零窗口时,和处理非全零窗口相比,芯片的物理状态会发生变化。例如,芯片的电流、电压、功率中的至少一项会降低M%。通过检测芯片在处理全零窗口时的电流、电压、功率中的至少一项的降低,可以对芯片进行攻击,从而破解密钥数据。
在本公开的实施例中,W比特可以8比特,或16比特,或32比特,或其它长度,本公开对此不作限定。
如图1的步骤S103,全零窗口消除数据K_cancel_zero可以通过序列减法计算得到
K_cancel_zero=K_random-seq1
其中seq1是与随机化数据K_random具有相同长度的预设非零序列。预设非零序列seq1可包括多个数据处理窗口,在seq1的每个数据处理窗口中,最低位序列值为1,其余所有位序列值均为0,即预设非零序列seq1可表示为:seq1=00...100...100...1...00...1。通过上述序列减法计算,可得到不再包括全零窗口的全零窗口消除数据K_cancel_zero。
本领域普通技术人员可以理解,预设非零序列seq1也可以在每个数据处理窗口中,任意一位序列值为1,其余所有位序列值均为0;或在每个数据处理窗口中,在指定的至少一位的序列值为1,例如最低位、次低位序列值为1,其余所有位序列值均为0。
本领域普通技术人员可以理解,除了点乘运算,例如RSA算法中的模幂运算等其它运算也可以受到全零窗口的影响,本公开对此不作限定。
在图2中,步骤S201、S202、S203的具体处理和图1中的步骤S101、S102、S103相同。
如图2的步骤S204,对全零窗口消除数据K_cancel_zero,按照预设数据处理窗口长度W进行划分,在数据处理窗口中加上与预设非零序列seq1相对应的特定数值,得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0),L为数据处理窗口个数。当seq1的每个数据处理窗口中,最低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的预设非零序列seq1为00...1时,与预设非零序列seq1相对应的特定数值为1。当seq1的每个数据处理窗口中,次低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的预设非零序列seq1为0...010时,与预设非零序列seq1相对应的特定数值为2,或比特序列10。当seq1的每个数据处理窗口中,最低位和次低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的预设非零序列seq1为0...011时,与预设非零序列seq1相对应的特定数值为3,或比特序列11。
本领域普通技术人员可以理解,当数据处理窗口中的预设非零序列seq1为其它序列时,预设非零序列seq1相对应的特定数值也相应的进行更新。
通过在数据处理窗口中加上与预设非零序列seq1相对应的数值,实现了在消除全零窗口时,对随机化数据K_random减去预设非零序列seq1的补偿计算,保证了整体点乘运算结果的正确性。
在本公开的实施例中,可以采用例如下述伪代码的步骤具体实现由全零窗口消除数据K_cancel_zero得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0)。
1.设置循环变量i=0
2.执行循环体whilei<Ldo
2.1.t=mod(K_cancel_zero,2
w),其中mod计算是除法后取余数计算;
2.2.K_split
i=t,更新K_cancel_zero=K_cancel_zero‐K_split
i,
更新K_split
i=1+K_split
i;
2.3.更新i=i+1;
2.4.更新K_cancel_zero=K_cancel_zero/2
w;
3.return
在上述伪代码的计算过程中,对i、K_cancel_zero、K_split
i执行了原位赋值操作,其具体数值发生了变化。
本领域普通技术人员可以理解,也可以用其它具体计算方式实现由全零窗口消除数据K_cancel_zero得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0),例如采用更多的缓存进行计算,而非对K_cancel_zero、K_split
i进行原位赋值操作,或对循环体展开的方式提高并行度,本公开对此不作限定。
在本公开的实施例中,如图5的步骤S501,对满足椭圆曲线方程的指定坐标P1(x1,y1),通过坐标随机化处理得到随机化坐标
P_random(X1,Y1,Z1)=P_random(x1R2
2,y1R2
3,R2)
其中,指定坐标P1(x1,y1)由算法库输入得到,R2是随机数。
本领域普通技术人员可以理解,也可以使用R2对P1(x1,y1)进行其它运算得到P_random(X1,Y1,Z1),本公开对此不作限定。
在本公开的实施例中,如图5的步骤S502,对特定递增序列(1,2,......2
w)和随机化坐标P_random(X1,Y1,Z1)执行预计算,具体是乘法计算,得到预定坐标
P2(X2,Y2,Z2)=P_random,2*P_random,3*P_random,...,2
W*P_random
在既往不消除全零窗口的例如固定窗口法的算法中,使用2
w‐1个元素的序列(1,2,......2
w‐1)进行预计算。而在本公开的实施例中,通过使用2
w个元素的特定递增序列(1,2,......2
w),保证了对随机化数据K_random进行减法计算,消除全零窗口后的计算结果正确性。
在本公开的实施例中,如图2的步骤S205,通过最后一个窗口中的划分窗口后数据K_split
L‐1与预定坐标P2(X2,Y2,Z2)的点乘计算对第一坐标进行初始化,得到初始化的第一坐标
Q=K_split
L-1*P2(X2,Y2,Z2)
在本公开的实施例中,逐数据处理窗口计算预定坐标和划分窗口后数据的点乘计算,对点乘计算的结果和第一坐标的倍点计算结果进行点加计算,更新第一坐标,得到第一目标坐标。
在本公开的实施例中,可以通过下述伪代码的方式获取第一目标坐标Q_dest1(X3,Y3,Z3)。
其中,Q=2
wQ是对第一坐标Q的倍点计算;K_split
i*P2是在当前数据窗口i中,预定坐标和划分窗口后数据的点乘计算;Q=Q+K_split
i*P2是点乘计算的结果和第一坐标的倍点计算结果进行点加计算。
当计算过程中的Q为无穷远点时,通过预定坐标P2和当前数据处理窗口i的第一前序数据处理窗口i‐1内的划分窗口后数据K_split
i‐1的点乘,重置第一坐标Q=K_split
i‐1*P2,并且更新当前窗口为i=i‐2。
在上述伪代码的计算过程中,对i、Q执行了原位赋值操作,其具体数值发生了变化。
在本公开的实施例中,如图3的步骤S301,可以对三维的第一目标坐标Q_dest1(X3,Y3,Z3)进行坐标转换,得到指定维度,即二维的第二目标坐标Q_dest2(x2,y2)。
在本公开的实施例中,可以使用下述伪代码方式实现将三维第一目标坐标Q_dest1(X3,Y3,Z3)转换为二维第二目标坐标Q_dest2(x2,y2)。
在本公开的实施例中,第一目标坐标Q_dest1(X3,Y3,Z3)是仿射坐标,第二目标坐标Q_dest2(x2,y2)是射影坐标。
z2=Z3
-1
x2=X3*z2
2
y2=Y3*z2
3
其中,Z3
‐1是Z3的求逆计算。
在芯片实现中,求逆计算较为耗时。在本公开的实施例中,使用1次求逆计算,再进行耗时较少的平方计算、立方计算,可以提升计算性能。
在本公开的实施例中,上述从获取随机化数据
K_random=K_sec+R
1*#E
至得到二维第二目标坐标Q_dest2(x2,y2)的所有计算过程共同构成点乘运算。
在本公开的实施例中,对应图4的步骤S401,可以对第二目标坐标Q_dest2(x2,y2)进行校验,即通过校验x2、y2是否满足椭圆曲线方程
y2
2=x2
3+ax2+b
,即Q_dest2(x2,y2)是否位于椭圆曲线上,来判断点乘运算是否受到差分错误分析(Differentialfaultanalysis,DFA)攻击。
当第二目标坐标不位于椭圆曲线上时,判断点乘运算受到DFA攻击,可以丢弃受攻击的数据,和/或发出告警信息,或者进行其它处理,本公开对此不作限定。当第二目标坐标位于椭圆曲线上时,判断点乘运算未受到DFA攻击,得到正确的第二目标坐标用于后续加密计算。
在本公开的实施例中,在RSA算法的模幂运算中,可以采用数据处理窗口的方式,逐数据处理窗口进行计算,从而节约计算量。当模幂运算中出现全零窗口时,电压、电流、功率等芯片物理状态有可能发生变化,例如有可能出现电压、电流、功率下降等情况。通过检测芯片物理状态的变化,分析全零窗口,可以对RSA算法的模幂运算进行攻击,从而导致密钥泄露,影响数据安全。
在本公开的实施例中,可以采用消除全零窗口的方式,避免模幂运算受到攻击。
在本公开的实施例中,通过以下方式进行公钥RSA算法的模幂运算
A
emod M
其中,A是待加密数据,e是公钥的第一部分,M是公钥的第二部分,W是数据处理窗口长度,数据处理窗口个数
当len(e)不能被W整除时,在e的最高位前补0至L*W位,得到e_padding。
当len(e)可以被W整除时,e_padding=e。
e_padding中可能包括全零窗口,即数据处理窗口中所有比特均为0的窗口。
全零窗口消除密钥e_cancel_zero可以通过序列减法计算得到
e_cancel_zero=e_padding-seq2
其中seq2是与e_padding具有相同长度的预设非零序列。预设非零序列seq2可包括多个数据处理窗口,在seq2的每个数据处理窗口中,最低位序列值为1,其余所有位序列值均为0,即预设非零序列seq2可表示为:seq2=00...100...100...1...00...1。通过上述序列减法计算,可得到不再包括全零窗口的全零窗口消除密钥e_cancel_zero。
在本公开的实施例中,通过以下伪代码的步骤从全零窗口消除密钥e_cancel_zero得到窗口划分后密钥(e_split
L‐1,e_split
L‐2,e_split
0)。
1.设置循环变量i=0
2.执行循环体whilee_cancel_zero>0do
2.1q=mod(e_cancel_zero,2
W),其中mod计算是除法后取余数计算;
2.2e_split
i=q,e_cancel_zero=e_cancel_zero-e
i,
更新e_split
i=1+e_split
i;
2.3.更新i=i+1;
2.4更新e_cancel_zero=e_cancel_zero/2
W;
3.return(e_split
L-1,e_split
L-2,e_split
0)
在上述伪代码的计算过程中,对i、e_canel_zero、e_spliti执行了原位赋值操作,其具体数值发生了变化。
本领域普通技术人员可以理解,也可以用其它具体计算方式实现从全零窗口消除密钥e_cancel_zero得到窗口划分后密钥(e_split
L‐1,e_split
L‐2,e_split
0)。例如,使用更多的缓存进行计算,而非对i、e_canel_zero、e_split
i执行原位赋值操作的方式,或对循环体展开的方式提高并行度,本公开对此不作限定。
在本公开的实施例中,通过以下伪代码的步骤对A进行逐数据处理窗口的模幂运算,得到S
5.执行循环体for i=L-2down to 0
6.return(S)
在上述伪代码的计算过程中,对i、S执行了原位赋值操作,其具体数值发生了变化。
本领域普通技术人员可以理解,也可以用其它具体计算方式实现对A进行逐数据处理窗口的模幂运算,得到S。例如,使用更多的缓存进行计算,而非对i、S执行原位赋值操作的方式,或对循环体展开的方式提高并行度,本公开对此不作限定。
本领域普通技术人员可以理解,对于私钥RSA算法的模幂运算,也可以由于全零窗口受到攻击,也可以采用消除全零窗口的方式避免受到攻击,处理方法与上述公钥RSA算法的模幂运算基本一致,本公开在此不再赘述。
图1示出根据本公开一实施方式的消除数据串中的全零窗口的数据处理方法的流程图。
如图1所示,消除数据串中的全零窗口的数据处理方法包括:步骤S101、S102、S103。
在步骤S101中,获取输入的密钥数据。
在步骤S102中,对密钥数据进行随机化处理,得到随机化数据。
在步骤S103中,将随机化数据减去预设非零序列,得到全零窗口消除数据。
步骤S101是数据获取步骤,步骤S102是数据随机化步骤,步骤S103是全零窗口消除步骤。
在本公开的实施例中,获取密钥数据K_sec后,对密钥数据K_sec进行随机化计算,得到随机化数据K_random
K_random=K_sec+R
1*#E
随机化数据K_random通过减去预设非零序列seq1,得到全零窗口消除数据
K_cancel_zero=K_random-seq1
根据本公开实施例提供的技术方案,通过数据获取步骤,获取输入的密钥数据;数据随机化步骤,对密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将随机化数据减去预设非零序列,得到全零窗口消除数据,从而消除全零窗口。
通过消除全零窗口,可以防止点乘运算在计算全零窗口时物理状态发生变化而受到攻击,防止密钥泄露。
本领域普通技术人员可以理解,消除数据串中全零窗口的方法除了可应用于点乘运算,还可以应用于其它运算,例如,RSA算法中的模幂运算等,本公开对此不作限定。
在本公开的实施例中,R1是最高位为1的整数字长的随机数;#E是椭圆曲线E的阶。R1具有随机化特征,是预先设定的随机数。
根据本公开实施例提供的技术方案,通过数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对密钥数据进行随机化,得到随机化数据,从而对密钥数据进行随机化,加强对密钥数据的保护。
在本公开的实施例中,在预设非零序列seq1的每个数据处理窗口中,可以设置任意指定至少一个位置的序列值为1,其余所有位序列值均为0,例如最低位和次低位的序列值为1,其它位置的序列值均为0。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列,从而消除全零窗口。
在本公开的实施例中,在预设非零序列seq1的每个数据处理窗口中,可以设置任意一个比特的序列值为1,其余所有位序列值均为0。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的任意一个比特为1,其余比特为0的序列,从而消除全零窗口。
在本公开的实施例中,进一步地,在预设非零序列seq1的每个数据处理窗口中,最低位序列值为1,其余所有位序列值均为0,即预设非零序列可以表示为:seq1=00...100...100...1...00...1。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的末位比特为1,其余比特为0的序列,从而消除全零窗口数据。
图2示出根据本公开一实施方式的传输数据中的密钥保护方法的流程图。
如图2所示,传输数据中的密钥保护方法包括:步骤S201、S202、S203、S204、S205。
在步骤S201中,获取输入的密钥数据。
在步骤S202中,对密钥数据进行随机化处理,得到随机化数据。
在步骤S203中,将随机化数据减去预设非零序列,得到全零窗口消除数据。
在步骤S204中,按照预设数据处理窗口长度对全零窗口消除数据进行窗口划分,得到划分窗口后数据。
在步骤S205中,获取预定坐标,初始化第一坐标,逐数据处理窗口计算预定坐标和划分窗口后数据的点乘计算,结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标,得到第一目标坐标。
步骤S201是数据获取步骤,步骤S202是数据随机化步骤,步骤S203是全零窗口消除步骤,步骤S204是窗口划分步骤,步骤S205是点乘步骤。
在本公开的实施例中,步骤S201至S203可以采用与步骤S101至S103相同的实现方式,从而得到全零窗口消除数据K_cancel_zero。
在本公开的实施例中,可以采用例如下述伪代码的步骤具体实现由全零窗口消除数据K_cancel_zero得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0)。
1.设置循环变量i=0
2.执行循环体whilei<Ldo
2.1.t=mod(K_cancel_zero,2
w),其中mod()计算是除法后取余数
计算;
2.2.K_split
i=t,更新K_cancel_zero=K_cancel_zero-K_split
i,
更新K_split
i=1+K_split
i;
2.3.更新i=i+1;
2.4.更新K_cancel_zero=K_cancel_zero/2
w;
3.return
在上述伪代码的计算过程中,对i、K_cancel_zero、K_split
i执行了原位赋值操作,其具体数值发生了变化。
本领域普通技术人员可以理解,也可以用其它具体计算方式实现由全零窗口消除数据K_cancel_zero得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0),例如,使用更多的缓存进行计算,而非对K_cancel_zero、K_split
i执行了原位赋值操作的方式,或对循环体展开的方式提高并行度,本公开对此不作限定。
在本公开的实施例中,可以通过以下伪代码方式实现点乘步骤,获得第一目标坐标Q_dest1(X3,Y3,Z3)。
其中,P2(X2,Y2,Z2)是预定坐标,预定坐标P2(X2,Y2,Z2)通过以下方式得到:满足椭圆曲线方程的指定坐标P1(x1,y1)通过坐标随机化处理得到随机化坐标P_random(X1,Y1,Z1),再对特定递增序列(1,2,......2
w)和随机化坐标P_random(X1,Y1,Z1)执行乘法计算,得到预定坐标P2(X2,Y2,Z2)。
根据本公开实施例提供的技术方案,通过数据获取步骤,获取输入的密钥数据;数据随机化步骤,对密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将随机化数据减去预设非零序列,得到全零窗口消除数据;窗口划分步骤,按照预设数据处理窗口长度对全零窗口消除数据进行窗口划分,得到划分窗口后数据;点乘步骤,获取预定坐标,初始化第一坐标,逐数据处理窗口计算预定坐标和划分窗口后数据的点乘计算,结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标,得到第一目标坐标,从而通过消除全零窗口,防止点乘运算在计算全零窗口数据时物理状态发生变化而受到攻击,防止密钥泄露。
图3示出根据本公开另一实施方式的传输数据中的密钥保护方法的流程图。
如图3所示,传输数据中的密钥保护方法除了包含和图2相同的步骤S201、S202、S203、S204、S205,还包括步骤S301。
在步骤S301中,将第一目标坐标转换为指定维度的第二目标坐标。
步骤S301是坐标转换步骤。
在本公开的实施例中,可以对三维的第一目标坐标Q_dest1(X3,Y3,Z3)进行坐标转换,得到二维的第二目标坐标Q_dest2(x2,y2)。
根据本公开实施例提供的技术方案,通过坐标转换步骤,其中,将第一目标坐标转换为指定维度的第二目标坐标,从而使得第二目标坐标回到椭圆曲线坐标,进行SM2加密的后续正确运算。
在本公开的实施例中,可以使用下述伪代码方式实现从三维第一目标坐标Q_dest1(X3,Y3,Z3)到二维第二目标坐标Q_dest2(x2,y2)的转换。
z2=Z3
-1
x2=X3*z2
2
y2=Y3*z2
3
其中,Z3
‐1是Z3的求逆计算。
在芯片实现中,求逆计算较为耗时。在本公开的实施例中,使用1次求逆计算,得到中间变量z2,再对z2进行耗时较少的平方计算、立方计算,将X3、Y3分别和平方计算、立方计算的结果相乘,得到x2、y2,可以提升计算性能,在实际操作中提升数据处理效率,降低功耗。
根据本公开实施例提供的技术方案,通过坐标转换步骤包括:对第一目标坐标的第三分量进行求逆计算,得到中间分量;所述第一目标坐标的第一分量和中间分量的平方计算的结果相乘,得到第二目标坐标的第一分量;第一目标坐标的第二分量和中间分量的立方计算的结果相乘,得到第二目标坐标的第二分量,从而提高计算性能,提高数据处理效率,降低功耗。
图4示出根据本公开又一实施方式的传输数据中的密钥保护方法的流程图。
如图3所示,传输数据中的密钥保护方法除了包含和图3相同的步骤S201、S202、S203、S204、S205、S301,还包括步骤S401。
在步骤S401中,对指定维度的第二目标坐标进行校验。
步骤S401是校验步骤。
在本公开的实施例中,可以对第二目标坐标Q_dest2(x2,y2)进行校验,即通过校验x2、y2是否满足椭圆曲线方程
y2
2=x2
3+ax2+b
来判断点乘运算是否受到差分错误分析(Differentialfaultanalysis,DFA)攻击。
根据本公开实施例提供的技术方案,通过校验步骤,对指定维度的第二目标坐标进行校验,从而检测点乘运算是否受到DFA攻击,保证点乘计算的正确性和安全性。
在本公开的实施例中,当第二目标坐标不位于椭圆曲线上时,判断点乘运算受到DFA攻击,可以丢弃受攻击的数据,和/或发出告警信息,或者进行其它处理,本公开对此不作限定。当第二目标坐标位于椭圆曲线上时,判断点乘运算未受到DFA攻击,得到正确的第二目标坐标用于后续加密计算。
根据本公开实施例提供的技术方案,通过当指定维度的第二目标坐标处于椭圆曲线上时,判断传输数据中的密钥保护方法未受到差分错误分析攻击,使用指定维度的第二目标坐标进行加密计算;和/或当指定维度的第二目标坐标不处于椭圆曲线上时,判断传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息,从而在可能受到DFA攻击时,保证点乘计算的正确性和安全性。
图5示出根据本公开实施方式的图2的步骤S205中的获取预定坐标的具体流程图。
如图5所示,图2的步骤S205中的“获取预定坐标”的具体实施方式包括:步骤S501、S502。
在S501中,对指定坐标进行随机化,得到随机化坐标,其中,指定坐标为满足椭圆曲线方程的坐标。
在S502中,采用指定递增序列对随机化坐标进行预计算,得到预定坐标。
步骤S501是坐标随机化子步骤,S502是预计算子步骤。
在本公开的实施例中,对满足椭圆曲线方程的指定坐标P1(x1,y1),通过坐标随机化处理得到随机化坐标
P_random(X1,Y1,Z1)=P_random(x1R2
2,y1R2
3,R2)
其中,指定坐标P1(x1,y1)由算法库输入得到,R2是随机数。
在本公开的实施例中,对特定递增序列(1,2,......2
w)和随机化坐标P_random(X1,Y1,Z1)执行乘法计算,得到预定坐标
P2(X2,Y2,Z2)=P_random,2P_random,3P_random,......,2
WP_random
在既往不消除全零窗口的算法中,使用2
w‐1个元素的序列(1,2,......2
w‐1)。而在本公开的实施例中,通过使用2
w个元素的特定递增序列(1,2,......2
w),保证了对随机化数据K_random进行减法计算,消除全零窗口后的计算结果正确性。
根据本公开实施例提供的技术方案,通过坐标随机化子步骤,其中,对指定坐标进行随机化,得到随机化坐标,其中,指定坐标为满足椭圆曲线方程的坐标;预计算子步骤,其中,采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标,从而保证消除全零窗口后的点乘运算的正确性。
根据本公开实施例提供的技术方案,通过采用指定递增序列对随机化坐标进行预计算包括:采用指定递增序列中的元素和随机化坐标进行乘法计算,从而保证消除全零窗口后的点乘运算的正确性。
根据本公开实施例提供的技术方案,通过点乘步骤中的结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标包括:对点乘计算的结果和第一坐标的倍点计算结果进行点加计算,使用点加计算的结果更新所述第一坐标,从而保证点乘运算的正确性。
在本公开的实施例中,当点乘运算中的第一坐标为无穷远点时,需要对第一坐标进行重新赋值,避免计算出现异常值,保证计算结果的正确性。重新赋值过程可以通过以下伪代码方式实现
当计算过程中的Q为无穷远点时,通过预定坐标P2和当前数据处理窗口i的第一前序数据处理窗口i‐1内的划分窗口后数据K_split
i‐1的点乘,重置第一坐标Q=K_split
i‐1*P2,并且更新当前窗口为i=i‐2。
根据本公开实施例提供的技术方案,通过在第一坐标为无穷远点时,计算预定坐标和当前数据处理窗口的第一前序数据处理窗口内的划分窗口后数据的点乘,使用点乘的结果更新第一坐标,并更新当前数据处理窗口为当前数据处理窗口的第二前序数据处理窗口,从而避免计算出现异常值,保证结果的正确性。
在本公开的实施例中,对于获取的例如长度为256比特的密钥数据K_sec进行随机化计算,得到随机化数据K_random
K_random=K_sec+R1*#E
其中,R1是整数字长的随机数,而且R1的最高位为1;#E是椭圆曲线的阶数。椭圆曲线E是满足方程
y
2=x
3+ax+b
的曲线,其中x、y分别是椭圆曲线上的点的横轴、纵轴坐标,a、b是椭圆曲线的参数。
根据本公开实施例提供的技术方案,通过数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据,从而对密钥数据进行随机化,加强对密钥数据的保护。
在本公开的实施例中,预设非零序列seq1可包括多个数据处理窗口。预设非零序列seq1可以在每个数据处理窗口中,任意一位序列值为1,其余所有位序列值均为0。通过序列减法计算
K_cancel_zero=K_random-seq1
可得到不再包括全零窗口的全零窗口消除数据K_cancel_zero。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的任意一个比特为1,其余比特为0的序列,从而消除全零窗口。
在本公开的实施例中,进一步地,在seq1的每个数据处理窗口中,可以最低位序列值为1,其余所有位序列值均为0,即预设非零序列seq1可表示为:seq1=00...100...100...1...00...1。通过序列减法计算
K_cancel_zero=K_random-seq1
可得到不再包括全零窗口的全零窗口消除数据K_cancel_zero。
在本公开的实施例中,可以在每个数据处理窗口中,在至少一个位置的序列值为1,例如最低位、次低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的seq1为0...011。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的末位比特为1,其余比特为0的序列,从而消除全零窗口。
在本公开的实施例中,对全零窗口消除数据K_cancel_zero,按照预设数据处理窗口长度W进行划分,在数据处理窗口中加上与预设非零序列seq1相对应的特定数值,得到窗口划分后数据(K_split
L‐1,K_split
L‐2,K_split
1,K_split
0)。
当seq1的每个数据处理窗口中,最低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的预设非零序列seq1为00...1时,与预设非零序列seq1相对应的特定数值为1。当seq1的每个数据处理窗口中,次低位序列值为1,其余所有位序列值均为0,即数据处理窗口中的预设非零序列seq1为0...010时,与预设非零序列seq1相对应的特定数值为2,或比特序列10。当seq1的每个数据处理窗口中,最低位和次低位序列值为1,其余所有位序 列值均为0,即数据处理窗口中的预设非零序列seq1为0...011时,与预设非零序列seq1相对应的特定数值为3,或比特序列11。
本领域普通技术人员可以理解,当数据处理窗口中的预设非零序列seq1为其它序列时,预设非零序列seq1相对应的特定数值也相应的进行更新。
根据本公开实施例提供的技术方案,通过窗口划分步骤包括:在数据处理窗口中,对全零窗口消除数据加上与预设非零序列相对应的特定数值,得到所述窗口划分后数据,从而保证消除全零窗口后的计算结果正确。
在本公开的实施例中,可以对第二目标坐标Q_dest2(x2,y2)进行校验,即通过校验x2、y2是否满足椭圆曲线方程
y2
2=x2
3+ax2+b
,即Q_dest2(x2,y2)是否位于椭圆曲线上,来判断点乘运算是否受到DFA攻击。
根据本公开实施例提供的技术方案,通过校验步骤包括:校验指定维度的第二目标坐标是否处于椭圆曲线上,从而检测点乘运算是否受到DFA攻击。
当第二目标坐标不位于椭圆曲线上时,判断点乘运算受到DFA攻击,可以丢弃受攻击的数据,和/或发出告警信息,或者进行其它处理,本公开对此不作限定。当第二目标坐标位于椭圆曲线上时,判断点乘运算未受到DFA攻击,得到正确的第二目标坐标用于后续加密计算。
根据本公开实施例提供的技术方案,通过当指定维度的第二目标坐标处于椭圆曲线上时,判断传输数据中的密钥保护方法未受到差分错误分析攻击,使用指定维度的第二目标坐标进行加密计算;和/或当指定维度的第二目标坐标不处于椭圆曲线上时,判断传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息,从而在点乘运算可能受到DFA攻击的条件下保证点乘运算的正确、安全。
图6示出根据本公开一实施方式的消除数据串中的全零窗口的数据处理装置的结构框图。
如图6所示,消除全零窗口的数据处理装置600包括:数据获取模块601、数据随机化模块602、全零窗口消除模块603。
数据获取模块601用于获取输入的密钥数据。
数据随机化模块602用于对密钥数据进行随机化处理,得到随机化数据。
全零窗口消除模块603用于将随机化数据减去预设非零序列,得到全零窗口消除数据。
根据本公开实施例提供的技术方案,通过数据获取模块,用于获取输入的密钥数据;数据随机化模块,用于对密钥数据进行随机化处理,得到随机化数据;全零窗口消除模块,用于将随机化数据减去预设非零序列,得到全零窗口消除数据,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对密钥数据进行随机化,得到随机化数据,从而对密钥数据进行随机化,加强对密钥数据的保护。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的任意一个比特为1,其余比特为0的序列,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的末位比特为1,其余比特为0的序列,从而消除全零窗口数据。
在另一个实施示例中,消除全零窗口的数据处理装置600包括:处理器,其中所述处理器用于执行存在存储器的上述程序模块,上述程序模块包括:数据获取模块601、数据随机化模块602和全零窗口消除模块603。
图7示出根据本公开一实施方式的传输数据中的密钥保护装置的结构框图。
如图7所示,传输数据中的密钥保护装置700包括:数据获取模块701、数据随机化模块702、全零窗口消除模块703、窗口划分模块704、点乘模块705。
数据获取模块701,用于获取输入的密钥数据。
数据随机化模块702,用于对密钥数据进行随机化处理,得到随机化数据。
全零窗口消除模块703,用于将随机化数据减去预设非零序列,得到全零窗口消除数据。
窗口划分模块704,用于按照预设数据处理窗口长度对全零窗口消除数据进行窗口划分,得到划分窗口后数据。
点乘模块705,用于获取预定坐标,初始化第一坐标,逐数据处理窗口计算预定坐标和划分窗口后数据的点乘计算,结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标,得到第一目标坐标。
根据本公开实施例提供的技术方案,通过数据获取模块,用于获取输入的密钥数据;数据随机化模块,用于对 密钥数据进行随机化处理,得到随机化数据;全零窗口消除模块,用于将随机化数据减去预设非零序列,得到全零窗口消除数据;窗口划分模块,用于按照预设数据处理窗口长度对全零窗口消除数据进行窗口划分,得到划分窗口后数据;点乘模块,用于获取预定坐标,初始化第一坐标,逐数据处理窗口计算预定坐标和划分窗口后数据的点乘计算,结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标,得到第一目标坐标,从而通过消除全零窗口,防止点乘运算在计算全零窗口数据时物理状态发生变化而受到攻击,防止密钥泄露。
在本公开的实施例中,传输数据中的密钥保护装置还可以包括:坐标转换模块。
坐标转换模块用于将第一目标坐标转换为指定维度的第二目标坐标。
根据本公开实施例提供的技术方案,通过还包括:坐标转换模块,用于将第一目标坐标转换为指定维度的第二目标坐标,从而使得第二目标坐标回到椭圆曲线坐标,进行SM2加密的后续正确运算。
在本公开的实施例中,传输数据中的密钥保护装置还可以包括:校验模块。
校验模块用于对指定维度的第二目标坐标进行校验。
根据本公开实施例提供的技术方案,通过还包括:校验模块,用于对指定维度的第二目标坐标进行校验,从而检测点乘运算是否受到DFA攻击,保证数据的正确性和安全性。
根据本公开实施例提供的技术方案,通过获取预定坐标包括:坐标随机化子模块,用于对指定坐标进行随机化,得到随机化坐标,其中,指定坐标为满足椭圆曲线方程的坐标;预计算子模块,用于采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标,从而保证消除全零窗口后的点乘运算的正确性。
根据本公开实施例提供的技术方案,通过采用指定递增序列对随机化坐标进行预计算包括:采用指定递增序列中的元素和随机化坐标进行乘法计算,从而保证消除全零窗口后的点乘运算的正确性。
根据本公开实施例提供的技术方案,通过点乘步骤中的结合点乘计算的结果和第一坐标的倍点计算结果,更新第一坐标包括:对点乘计算的结果和第一坐标的倍点计算结果进行点加计算,使用点加计算的结果更新所述第一坐标,从而保证点乘运算的正确性。
根据本公开实施例提供的技术方案,通过点乘模块还用于:在第一坐标为无穷远点时,计算预定坐标和当前数据处理窗口的第一前序数据处理窗口内的划分窗口后数据的点乘,使用点乘的结果更新第一坐标,并更新当前数据处理窗口为当前数据处理窗口的第二前序数据处理窗口,从而避免计算出现异常值,保证结果的正确性。
根据本公开实施例提供的技术方案,通过数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对密钥数据进行随机化,得到随机化数据,从而对密钥数据进行随机化,加强对密钥数据的保护。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的任意一个比特为1,其余比特为0的序列,从而消除全零窗口。
根据本公开实施例提供的技术方案,通过预设非零序列包括:在数据处理窗口中的末位比特为1,其余比特为0的序列,从而消除全零窗口数据。
根据本公开实施例提供的技术方案,通过窗口划分模块用于:在数据处理窗口中,对全零窗口消除数据加上与预设非零序列相对应的特定数值,得到所述窗口划分后数据,从而保证消除全零窗口后的计算结果正确。
根据本公开实施例提供的技术方案,通过坐标转换模块用于:对第一目标坐标的第三分量进行求逆计算,得到中间分量;所述第一目标坐标的第一分量和中间分量的平方计算的结果相乘,得到第二目标坐标的第一分量;第一目标坐标的第二分量和中间分量的立方计算的结果相乘,得到第二目标坐标的第二分量,从而提高计算性能,提高数据处理效率,降低功耗。
根据本公开实施例提供的技术方案,通过校验模块用于:校验指定维度的第二目标坐标是否处于椭圆曲线上,从而检测点乘运算是否受到DFA攻击。
根据本公开实施例提供的技术方案,通过当指定维度的第二目标坐标处于椭圆曲线上时,判断传输数据中的密钥保护方法未受到差分错误分析攻击,使用指定维度的第二目标坐标进行加密计算;和/或当指定维度的第二目标坐标不处于椭圆曲线上时,判断传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息,从而在点乘运算可能受到DFA攻击的条件下保证点乘运算的正确、安全。
在另一个实施示例中,传输数据中的密钥保护装置700包括:处理器,其中所述处理器用于执行存在存储器的上述程序模块,上述程序模块包括:数据获取模块701、数据随机化模块702、全零窗口消除模块703、窗口划分模块704、点乘模块705、坐标转换模块和校验模块。
在本公开的实施例中,在芯片包含数据传输中的密钥保护装置时,芯片如果采用传统不消除全零窗口的处理方式,会使得芯片在处理全零窗口时,例如电流、电压、功率等的物理状态比处理非全零窗口时降低M%。芯片通过 采用上述数据获取步骤、数据随机化步骤、全零窗口消除步骤、窗口划分步骤、点乘步骤,可以消除全零窗口,使得芯片的电流、电压、功率等物理状态处于预定范围,例如不降低M%,并保证了计算结果的正确性。
根据本公开实施例提供的技术方案,通过将数据传输中的密钥保护装置集成在芯片中,芯片在处理所述数据处理窗口的数据的过程中的物理状态处于预定范围,从而避免检测到芯片物理状态的变化,而导致密钥泄露。
在本公开的实施例中,实现密钥保护方法的芯片可以用于,例如电力远程抄表芯片、电力无线通信专网芯片、配电网加密传输芯片等的电力管理芯片,燃气远程抄表芯片、燃气设备数据加密传输芯片等的燃气管理芯片,银行ATM机加密数据传输芯片、网银加密传输芯片等的银行管理芯片,公网加密通信芯片、5G物联网终端加密数据传输芯片等的通信管理芯片,也可以是其它进行点乘运算的芯片,本公开对此不作限定。
根据本公开实施例提供的技术方案,通过芯片包括以下芯片中的至少一种:电力管理芯片,燃气管理芯片,银行管理芯片,通信管理芯片,使得密钥保护方法可以应用于多种不同的场景。
图8示出根据本公开一实施方式的电子设备的结构框图。
本公开实施方式还提供了一种电子设备,如图8所示,所述电子设备800包括处理器801和存储器802;其中,存储器802存储有可被至少一个处理器801执行的指令,指令被至少一个处理器801执行以实现以下步骤:
数据获取步骤,获取输入的密钥数据;
数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;
全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据。
在本公开的实施例中,所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
在本公开的实施例中,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
在本公开的实施例中,所述预设非零序列包括:在数据处理窗口中的任意一个比特为1,其余比特为0的序列。
在本公开的实施例中,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
存储器802存储还有可能被至少一个处理器801执行的指令,指令被至少一个处理器801执行以实现以下步骤:
数据获取步骤,获取输入的密钥数据;
数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;
全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据;
窗口划分步骤,按照预设数据处理窗口长度对所述全零窗口消除数据进行窗口划分,得到划分窗口后数据;
点乘步骤,获取预定坐标,初始化第一坐标,逐数据处理窗口计算所述预定坐标和所述划分窗口后数据的点乘计算,结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标,得到第一目标坐标。
指令还可以被至少一个处理器801执行以实现以下步骤:坐标转换步骤,将所述第一目标坐标转换为指定维度的第二目标坐标。
指令还可以被至少一个处理器801执行以实现以下步骤:校验步骤,对所述指定维度的第二目标坐标进行校验。
在本公开的实施例中,所述获取预定坐标包括:
坐标随机化子步骤,对指定坐标进行随机化,得到随机化坐标,其中,所述指定坐标为满足椭圆曲线方程的坐标;
预计算子步骤,采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标。
在本公开的实施例中,所述采用指定递增序列对所述随机化坐标进行预计算包括:
采用所述指定递增序列中的元素和所述随机化坐标进行乘法计算。
在本公开的实施例中,所述点乘步骤中的所述结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标包括:
对所述点乘计算的结果和所述第一坐标的倍点计算结果进行点加计算,使用所述点加计算的结果更新所述第一坐标。
在本公开的实施例中,所述点乘步骤还包括:
在所述第一坐标为无穷远点时,计算所述预定坐标和当前数据处理窗口的第一前序数据处理窗口内的所述划分窗口后数据的点乘,使用所述点乘的结果更新所述第一坐标,并更新所述当前数据处理窗口为所述当前数据处理窗口的第二前序数据处理窗口。
在本公开的实施例中,所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
在本公开的实施例中,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
在本公开的实施例中,所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的 序列。
在本公开的实施例中,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
在本公开的实施例中,所述窗口划分步骤包括:在所述数据处理窗口中,对所述全零窗口消除数据加上与所述预设非零序列相对应的特定数值,得到所述窗口划分后数据。
在本公开的实施例中,所述坐标转换步骤包括:
对所述第一目标坐标的第三分量进行求逆计算,得到中间分量;
所述第一目标坐标的第一分量和所述中间分量的平方计算的结果相乘,得到所述第二目标坐标的第一分量;
所述第一目标坐标的第二分量和所述中间分量的立方计算的结果相乘,得到所述第二目标坐标的第二分量。
在本公开的实施例中,所述校验步骤包括:校验所述指定维度的第二目标坐标是否处于椭圆曲线上。
在本公开的实施例中,当所述指定维度的第二目标坐标处于椭圆曲线上时,判断所述传输数据中的密钥保护方法未受到差分错误分析攻击,使用所述指定维度的第二目标坐标进行加密计算;和/或
当所述指定维度的第二目标坐标不处于椭圆曲线上时,判断所述传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息。
图9是适于用来实现根据本公开一实施方式的消除数据串中的全零窗口的数据处理方法或传输数据中的密钥保护方法的计算机系统的结构示意图。
如图9所示,计算机系统900包括处理单元901,其可以根据存储在只读存储器(ROM)902中的程序或者从存储部分908加载到随机访问存储器(RAM)903中的程序而执行上述附图所示的实施方式中的各种处理。在RAM903中,还存储有系统900操作所需的各种程序和数据。处理单元901、ROM902以及RAM903通过总线904彼此相连。输入/输出(I/O)接口905也连接至总线904。
以下部件连接至I/O接口905:包括键盘、鼠标等的输入部分906;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分907;包括硬盘等的存储部分908;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分909。通信部分909经由诸如因特网的网络执行通信处理。驱动器910也根据需要连接至I/O接口905。可拆卸介质911,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器910上,以便于从其上读出的计算机程序根据需要被安装入存储部分908。其中,所述处理单元901可实现为CPU、GPU、TPU、FPGA、NPU等处理单元。
特别地,根据本公开的实施方式,上文参考附图描述的方法可以被实现为计算机软件程序。例如,本公开的实施方式包括一种计算机程序产品,其包括有形地包含在及其可读介质上的计算机程序,所述计算机程序包含用于执行附图中的方法的程序代码。在这样的实施方式中,该计算机程序可以通过通信部分909从网络上被下载和安装,和/或从可拆卸介质911被安装。
附图中的流程图和框图,图示了按照本公开各种实施方式的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,路程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。
描述于本公开实施方式中所涉及到的单元或模块可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元或模块也可以设置在处理器中,这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定。
作为另一方面,本公开还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施方式中所述节点中所包含的计算机可读存储介质;也可以是单独存在,未装配入设备中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序,所述程序被一个或者一个以上的处理器用来执行描述于本公开的方法。
以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本公开中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其他技术方案。例如上述特征与本公开中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。
Claims (45)
- 一种数据处理方法,用于消除数据串中的全零窗口,其特征在于,包括:数据获取步骤,获取输入的密钥数据;数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据。
- 根据权利要求1所述的方法,其特征在于,所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
- 根据权利要求1或2所述的方法,其特征在于,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
- 根据权利要求3所述的方法,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
- 根据权利要求4所述的方法,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
- 一种传输数据中的密钥保护方法,其特征在于,包括:数据获取步骤,获取输入的密钥数据;数据随机化步骤,对所述密钥数据进行随机化处理,得到随机化数据;全零窗口消除步骤,将所述随机化数据减去预设非零序列,得到全零窗口消除数据;窗口划分步骤,按照预设数据处理窗口长度对所述全零窗口消除数据进行窗口划分,得到划分窗口后数据;点乘步骤,获取预定坐标,初始化第一坐标,逐数据处理窗口计算所述预定坐标和所述划分窗口后数据的点乘计算,结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标,得到第一目标坐标。
- 根据权利要求6所述的方法,其特征在于,还包括:坐标转换步骤,将所述第一目标坐标转换为指定维度的第二目标坐标。
- 根据权利要求7所述的方法,其特征在于,还包括:校验步骤,对所述指定维度的第二目标坐标进行校验。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述获取预定坐标包括:坐标随机化子步骤,对指定坐标进行随机化,得到随机化坐标,其中,所述指定坐标为满足椭圆曲线方程的坐标;预计算子步骤,采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标。
- 根据权利要求9所述的方法,其特征在于,所述采用指定递增序列对所述随机化坐标进行预计算包括:采用所述指定递增序列中的元素和所述随机化坐标进行乘法计算。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述点乘步骤中的所述结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标包括:对所述点乘计算的结果和所述第一坐标的倍点计算结果进行点加计算,使用所述点加计算的结果更新所述第一坐标。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述点乘步骤还包括:在所述第一坐标为无穷远点时,计算所述预定坐标和当前数据处理窗口的第一前序数据处理窗口内的所述划分窗口后数据的点乘,使用所述点乘的结果更新所述第一坐标,并更新所述当前数据处理窗口为所述当前数据处理窗口的第二前序数据处理窗口。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述数据随机化步骤包括:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
- 根据权利要求14所述的方法,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
- 根据权利要求15所述的方法,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
- 根据权利要求6-8任一项所述的方法,其特征在于,所述窗口划分步骤包括:在所述数据处理窗口中,将所述全零窗口消除数据与所述预设非零序列相对应的特定数值相加,得到所述窗口划分后数据。
- 根据权利要求7所述的方法,其特征在于,所述坐标转换步骤包括:对所述第一目标坐标的第三分量进行求逆计算,得到中间分量;将所述第一目标坐标的第一分量与所述中间分量的平方计算的结果相乘,得到所述第二目标坐标的第一分量;将所述第一目标坐标的第二分量与所述中间分量的立方计算的结果相乘,得到所述第二目标坐标的第二分量。
- 根据权利要求8所述的方法,其特征在于,所述校验步骤包括:校验所述指定维度的第二目标坐标是否处于椭圆曲线上。
- 根据权利要求19所述的方法,其特征在于,当所述指定维度的第二目标坐标处于椭圆曲线上时,判断所述传输数据中的密钥保护方法未受到差分错误分析攻击,使用所述指定维度的第二目标坐标进行加密计算;和/或当所述指定维度的第二目标坐标不处于椭圆曲线上时,判断所述传输数据中的密钥保护方法受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息。
- 一种消除数据串中的全零窗口的数据处理装置,包括:数据获取模块,用于获取输入的密钥数据;数据随机化模块,用于对密钥数据进行随机化处理,得到随机化数据;全零窗口消除模块,用于将所述随机化数据减去预设非零序列,得到全零窗口消除数据。
- 根据权利要求21所述的装置,其特征在于,所述数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
- 根据权利要求21或22所述的装置,其特征在于,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
- 根据权利要求23所述的装置,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
- 根据权利要求24所述的装置,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
- 一种传输数据中的密钥保护装置,其特征在于,包括:数据获取模块,用于获取输入的密钥数据;数据随机化模块,用于对所述密钥数据进行随机化处理,得到随机化数据;全零窗口消除模块,用于将所述随机化数据减去预设非零序列,得到全零窗口消除数据;窗口划分模块,用于按照预设数据处理窗口长度对所述全零窗口消除数据进行窗口划分,得到划分窗口后数据;点乘模块,用于获取预定坐标,初始化第一坐标,逐数据处理窗口计算所述预定坐标和所述划分窗口后数据的点乘计算,结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标,得到第一目标坐标。
- 根据权利要求26所述的装置,其特征在于,还包括:坐标转换模块,用于将所述第一目标坐标转换为指定维度的第二目标坐标。
- 根据权利要求27所述的装置,其特征在于,还包括:校验模块,用于对所述指定维度的第二目标坐标进行校验。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述获取预定坐标包括:坐标随机化子模块,用于对指定坐标进行随机化,得到随机化坐标,其中,所述指定坐标为满足椭圆曲线方程的坐标;预计算子模块,用于采用指定递增序列对所述随机化坐标进行预计算,得到所述预定坐标。
- 根据权利要求29所述的装置,其特征在于,所述采用指定递增序列对所述随机化坐标进行预计算包括:采用所述指定递增序列中的元素和所述随机化坐标进行乘法计算。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述点乘模块中的所述结合所述点乘计算的结果和所述第一坐标的倍点计算结果,更新所述第一坐标包括:对所述点乘计算的结果和所述第一坐标的倍点计算结果进行点加计算,使用所述点加计算的结果更新所述第一坐标。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述点乘模块还用于:在所述第一坐标为无穷远点时,计算所述预定坐标和当前数据处理窗口的第一前序数据处理窗口内的所述划分窗口后数据的点乘,使用所述点乘的结果更新所述第一坐标,并更新所述当前数据处理窗口为所述当前数据处理窗口的第二前序数据处理窗口。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述数据随机化模块用于:采用最高位为1的整数字长的随机数和椭圆曲线的阶,对所述密钥数据进行随机化,得到所述随机化数据。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述预设非零序列包括:在数据处理窗口中的至少一个比特为1,其余比特为0的序列。
- 根据权利要求34所述的装置,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的任意一个比特为1,其余比特为0的序列。
- 根据权利要求35所述的装置,其特征在于,所述预设非零序列包括:在所述数据处理窗口中的末位比特为1,其余比特为0的序列。
- 根据权利要求26-28任一项所述的装置,其特征在于,所述窗口划分模块用于:在所述数据处理窗口中,将所述全零窗口消除数据与所述预设非零序列相对应的特定数值相加,得到所述窗口划分后数据。
- 根据权利要求27所述的装置,其特征在于,所述坐标转换模块用于:对所述第一目标坐标的第三分量进行求逆计算,得到中间分量;将所述第一目标坐标的第一分量与所述中间分量的平方计算的结果相乘,得到所述第二目标坐标的第一分量;将所述第一目标坐标的第二分量与所述中间分量的立方计算的结果相乘,得到所述第二目标坐标的第二分量。
- 根据权利要求28所述的装置,其特征在于,所述校验模块用于:校验所述指定维度的第二目标坐标是否处于椭圆曲线上。
- 根据权利要求39所述的装置,其特征在于,当所述指定维度的第二目标坐标处于椭圆曲线上时,判断所述传输数据中的密钥保护装置未受到差分错误分析攻击,使用所述指定维度的第二目标坐标进行加密计算;和/或当所述指定维度的第二目标坐标不处于椭圆曲线上时,判断所述传输数据中的密钥保护装置受到差分错误分析攻击,丢弃所述指定维度的第二目标坐标,和/或发出告警信息。
- 根据权利要求26-28任一项所述的装置,其特征在于,将所述数据传输中的密钥保护装置集成在芯片中,所述芯片在处理所述数据处理窗口的数据的过程中的物理状态处于预定范围。
- 根据权利要求41所述的装置,其特征在于,所述芯片包括以下芯片中的至少一种:电力管理芯片,燃气管理芯片,银行管理芯片,通信管理芯片。
- 一种电子设备,其特征在于,包括存储器和处理器;其中,所述存储器用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器执行以实现如权利要求1-20任一项所述的方法。
- 一种可读存储介质,其上存储有计算机指令,其特征在于,该计算机指令被处理器执行时实现如权利要求1-20任一项所述的方法。
- 一种计算机程序,其中包括计算机指令,其特征在于,该计算机指令被处理器执行时实现如权利要求1-20任一项所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111164095.7 | 2021-09-30 | ||
CN202111164095.7A CN113609511B (zh) | 2021-09-30 | 2021-09-30 | 数据处理和密钥保护方法、装置、设备、存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023050813A1 true WO2023050813A1 (zh) | 2023-04-06 |
Family
ID=78343313
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/091086 WO2023050813A1 (zh) | 2021-09-30 | 2022-05-06 | 数据处理和密钥保护方法、装置、设备、存储介质和程序 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN113609511B (zh) |
WO (1) | WO2023050813A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113609511B (zh) * | 2021-09-30 | 2021-12-21 | 北京智芯微电子科技有限公司 | 数据处理和密钥保护方法、装置、设备、存储介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020124031A1 (en) * | 2000-12-15 | 2002-09-05 | Sheueling Chang | Method for efficient computation of point doubling operation of elliptic curve point scalar multiplication over finite fields F(2m) |
CN101197668A (zh) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | 基于随机化带符号标量乘法的椭圆曲线抗旁路攻击方法 |
CN109582284A (zh) * | 2018-11-16 | 2019-04-05 | 大唐微电子技术有限公司 | 一种芯片中的标量乘实现方法及装置、计算机可读存储介质 |
CN110611559A (zh) * | 2019-08-21 | 2019-12-24 | 广东工业大学 | 基于算法层的抗侧信道攻击sm2点乘架构及其运算方法 |
CN113609511A (zh) * | 2021-09-30 | 2021-11-05 | 北京智芯微电子科技有限公司 | 数据处理和密钥保护方法、装置、设备、存储介质和程序 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5488718B2 (ja) * | 2010-12-27 | 2014-05-14 | 富士通株式会社 | 暗号処理装置、暗号処理方法、およびプログラム |
CN108242994B (zh) * | 2016-12-26 | 2021-08-13 | 阿里巴巴集团控股有限公司 | 密钥的处理方法和装置 |
-
2021
- 2021-09-30 CN CN202111164095.7A patent/CN113609511B/zh active Active
-
2022
- 2022-05-06 WO PCT/CN2022/091086 patent/WO2023050813A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020124031A1 (en) * | 2000-12-15 | 2002-09-05 | Sheueling Chang | Method for efficient computation of point doubling operation of elliptic curve point scalar multiplication over finite fields F(2m) |
CN101197668A (zh) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | 基于随机化带符号标量乘法的椭圆曲线抗旁路攻击方法 |
CN109582284A (zh) * | 2018-11-16 | 2019-04-05 | 大唐微电子技术有限公司 | 一种芯片中的标量乘实现方法及装置、计算机可读存储介质 |
CN110611559A (zh) * | 2019-08-21 | 2019-12-24 | 广东工业大学 | 基于算法层的抗侧信道攻击sm2点乘架构及其运算方法 |
CN113609511A (zh) * | 2021-09-30 | 2021-11-05 | 北京智芯微电子科技有限公司 | 数据处理和密钥保护方法、装置、设备、存储介质和程序 |
Also Published As
Publication number | Publication date |
---|---|
CN113609511A (zh) | 2021-11-05 |
CN113609511B (zh) | 2021-12-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210256165A1 (en) | Protecting parallel multiplication operations from external monitoring attacks | |
US8369517B2 (en) | Fast scalar multiplication for elliptic curve cryptosystems over prime fields | |
JP4671571B2 (ja) | 秘密情報の処理装置および秘密情報の処理プログラムを格納するメモリ | |
CN107040362B (zh) | 模乘设备和方法 | |
US8428252B1 (en) | Using multiples above two with running totals in elliptic curve cryptography scalar multiplication acceleration tables | |
US8619977B2 (en) | Representation change of a point on an elliptic curve | |
US8422669B2 (en) | Method and apparatus for elliptic curve cryptographic processing | |
US11824986B2 (en) | Device and method for protecting execution of a cryptographic operation | |
EP3930252A1 (en) | Countermeasures for side-channel attacks on protected sign and key exchange operations | |
CN111539027A (zh) | 一种基于双方隐私保护的信息验证方法和系统 | |
KR100834096B1 (ko) | 고차 전력분석공격에 대응하는 블록 암호 알고리즘aria의 암호화 방법 | |
WO2023050813A1 (zh) | 数据处理和密钥保护方法、装置、设备、存储介质和程序 | |
CN107896142B (zh) | 一种执行模幂运算的方法及装置、计算机可读存储介质 | |
Seo | Compact implementations of Curve Ed448 on low‐end IoT platforms | |
CN111712816B (zh) | 使用密码蒙蔽以用于高效地使用蒙哥马利乘法 | |
US20090024352A1 (en) | Method, Device and System For Verifying Points Determined on an Elliptic Curve | |
EP1445891A1 (en) | Elliptic curve scalar multiple calculation method and device, and storage medium | |
US20020052906A1 (en) | Method for efficient modular division over prime integer fields | |
WO2024086243A1 (en) | Protection of polynomial cryptographic operations against side-channel attacks with change-of-variable transformations | |
JP2005020735A (ja) | データ処理装置におけるサイドチャネル攻撃防止 | |
US20060274894A1 (en) | Method and apparatus for cryptography | |
CN116821962A (zh) | 保护隐私数据的概率截断方法和装置 | |
JP2003255831A (ja) | 楕円曲線スカラー倍計算方法及び装置 | |
JP4502817B2 (ja) | 楕円曲線スカラー倍計算方法および装置 | |
CN117009723B (zh) | 一种多方计算方法、装置、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22874211 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 22874211 Country of ref document: EP Kind code of ref document: A1 |